Group Policy Clean up @ My Company

Posted on 2014-02-19
Medium Priority
Last Modified: 2014-12-29
Good morning everyone.

I have been tasked with cleaning up the disaster that is my company's group policy..... I'm in need of some clarification...

Easy Example:
Control Panel/Personalization/Prevent Changing Screen Saver     ENABLED

So If I understand group policy correctly, since this setting is "flipped on" (ive read this also referred to as "tattooed") even though I choose "not configured", it will stay "flipped on" until it is "flipped off" correct?  So for me to clean this setting, I have to flip it to Disabled, let it sit for a while and then set it to "not configured".  Is that correct?

Now, I am working in a Group Policy environment that has existed since this company went to active directory a thousand years ago.... It has been used and abused.  I am thinking that there are probably settings all over the place that have been "flipped on" and never "flipped off".  The only way I can think to get around this is to clear the GPO policy on the client machines and force a GPO update..... I've taken a look around and found I can do either of the following:

 Delete C:\WINDOWS\security\Database\secedit.sdb
GPupdate /force

or should i just delete



then a gupdate /force

Think I can add a script to their login .bat files that does this safely?

2nd Example:
Folder Redirection Downloads : Enabled

So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?

One more question, if settings are set to "not configured" will they show up on the GPMC when click the "Settings" tab?  (im thinking the answer is no...)

Thanks for your help!
Question by:vrmanrtell
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39872323
I'm going to lurk more than anything, but the first question I would have is what is the functional level if the domain. The second would be what os is on the clients.
LVL 17

Assisted Solution

by:James Haywood
James Haywood earned 800 total points
ID: 39872716
Policies vs Preferences

Policies are usually defaulted to 'Not Configured' and can usually be enabled or disabled. To reverse the change the setting can be set back to not configured.

Preferences work in a similar manner to Policies but once 'enabled' are 'tattoed'. To reverse the change the setting will need to be 'disabled'. A good example of this is the map drive group policy preference on the user side. If you have configured a 'create a map drive' using the drive letter X then this will stay applied until you create a 'delete specific drive' setting to override the create.

If settings are set to not configured you are correct they will not show in GPMC.

Either of the settings above should clear the GPOs but you may well find they are linked to reg edits and/or batch files which would still be present.

Just to reiterate that a lot of older GPOs (since NT/2K) made heavy use of batch files and scripts to fill in the holes not covered natively by GP. These are the hardest to troubleshoot as its much easier writing scripts than reading them.

To enable a clean-up you would be best (if possible) to create new OUs, put in a couple of test clients and create new GPOs for these OUs. This would allow you to test settings in a more controlled environment. You would also have to prevent inheritance to stop the domain level GPOs from flowing down.

If you have any sort of development rig then the best idea would be to take a copy of your current AD environment and you can work knowing that you aren't going to disrupt peoples work.

Finally, GP is seriously powerful and be careful if you do have to work in a live environment.
LVL 35

Accepted Solution

Nirmal Sharma earned 800 total points
ID: 39873106
You have three questions and these are answered below:

1. Delete Secedit.sdb or not?
No need to delete this file unless you have configured user rights assignment and Security Options found in GPO under Computer Configuration.

If you need to delete this then follow below approach:
a. Copy Secedit.sdb from a computer which is not join to the domain or GPO policies have not been applied yet.
b. Use Security and configuration analyzer mmc > open Secedit.sdb > export the configuration and reapply exported configuration using secedit.exe.

2. Should I delete below registry entries or not?



Yes, this is where registry GPO settings are applied. This is only applicable for computer account. You must also delete the same set of keys from User Hive also.

3. So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?

Yes. This is the best way to do it so far!


Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Seizing the Operation Master Roles in Windows Server 2016 in case of FSMO holder failure.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question