Group Policy Clean up @ My Company

Good morning everyone.

I have been tasked with cleaning up the disaster that is my company's group policy..... I'm in need of some clarification...

Easy Example:
Control Panel/Personalization/Prevent Changing Screen Saver     ENABLED

So If I understand group policy correctly, since this setting is "flipped on" (ive read this also referred to as "tattooed") even though I choose "not configured", it will stay "flipped on" until it is "flipped off" correct?  So for me to clean this setting, I have to flip it to Disabled, let it sit for a while and then set it to "not configured".  Is that correct?

Now, I am working in a Group Policy environment that has existed since this company went to active directory a thousand years ago.... It has been used and abused.  I am thinking that there are probably settings all over the place that have been "flipped on" and never "flipped off".  The only way I can think to get around this is to clear the GPO policy on the client machines and force a GPO update..... I've taken a look around and found I can do either of the following:

 Delete C:\WINDOWS\security\Database\secedit.sdb
GPupdate /force

or should i just delete

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Nicrosoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

then a gupdate /force

Think I can add a script to their login .bat files that does this safely?


2nd Example:
Folder Redirection Downloads : Enabled

So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?


One more question, if settings are set to "not configured" will they show up on the GPMC when click the "Settings" tab?  (im thinking the answer is no...)

Thanks for your help!
vrmanrtellAsked:
Who is Participating?
 
Nirmal SharmaConnect With a Mentor Solution ArchitectCommented:
You have three questions and these are answered below:

1. Delete Secedit.sdb or not?
No need to delete this file unless you have configured user rights assignment and Security Options found in GPO under Computer Configuration.

If you need to delete this then follow below approach:
a. Copy Secedit.sdb from a computer which is not join to the domain or GPO policies have not been applied yet.
b. Use Security and configuration analyzer mmc > open Secedit.sdb > export the configuration and reapply exported configuration using secedit.exe.

2. Should I delete below registry entries or not?

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Nicrosoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Yes, this is where registry GPO settings are applied. This is only applicable for computer account. You must also delete the same set of keys from User Hive also.

3. So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?

Yes. This is the best way to do it so far!

Sys.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
I'm going to lurk more than anything, but the first question I would have is what is the functional level if the domain. The second would be what os is on the clients.
0
 
James HaywoodConnect With a Mentor Commented:
Policies vs Preferences

Policies are usually defaulted to 'Not Configured' and can usually be enabled or disabled. To reverse the change the setting can be set back to not configured.

Preferences work in a similar manner to Policies but once 'enabled' are 'tattoed'. To reverse the change the setting will need to be 'disabled'. A good example of this is the map drive group policy preference on the user side. If you have configured a 'create a map drive' using the drive letter X then this will stay applied until you create a 'delete specific drive' setting to override the create.

If settings are set to not configured you are correct they will not show in GPMC.

Either of the settings above should clear the GPOs but you may well find they are linked to reg edits and/or batch files which would still be present.

Just to reiterate that a lot of older GPOs (since NT/2K) made heavy use of batch files and scripts to fill in the holes not covered natively by GP. These are the hardest to troubleshoot as its much easier writing scripts than reading them.

To enable a clean-up you would be best (if possible) to create new OUs, put in a couple of test clients and create new GPOs for these OUs. This would allow you to test settings in a more controlled environment. You would also have to prevent inheritance to stop the domain level GPOs from flowing down.

If you have any sort of development rig then the best idea would be to take a copy of your current AD environment and you can work knowing that you aren't going to disrupt peoples work.

Finally, GP is seriously powerful and be careful if you do have to work in a live environment.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.