Solved

Group Policy Clean up @ My Company

Posted on 2014-02-19
3
299 Views
Last Modified: 2014-12-29
Good morning everyone.

I have been tasked with cleaning up the disaster that is my company's group policy..... I'm in need of some clarification...

Easy Example:
Control Panel/Personalization/Prevent Changing Screen Saver     ENABLED

So If I understand group policy correctly, since this setting is "flipped on" (ive read this also referred to as "tattooed") even though I choose "not configured", it will stay "flipped on" until it is "flipped off" correct?  So for me to clean this setting, I have to flip it to Disabled, let it sit for a while and then set it to "not configured".  Is that correct?

Now, I am working in a Group Policy environment that has existed since this company went to active directory a thousand years ago.... It has been used and abused.  I am thinking that there are probably settings all over the place that have been "flipped on" and never "flipped off".  The only way I can think to get around this is to clear the GPO policy on the client machines and force a GPO update..... I've taken a look around and found I can do either of the following:

 Delete C:\WINDOWS\security\Database\secedit.sdb
GPupdate /force

or should i just delete

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Nicrosoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

then a gupdate /force

Think I can add a script to their login .bat files that does this safely?


2nd Example:
Folder Redirection Downloads : Enabled

So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?


One more question, if settings are set to "not configured" will they show up on the GPMC when click the "Settings" tab?  (im thinking the answer is no...)

Thanks for your help!
0
Comment
Question by:vrmanrtell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39872323
I'm going to lurk more than anything, but the first question I would have is what is the functional level if the domain. The second would be what os is on the clients.
0
 
LVL 17

Assisted Solution

by:James Haywood
James Haywood earned 200 total points
ID: 39872716
Policies vs Preferences

Policies are usually defaulted to 'Not Configured' and can usually be enabled or disabled. To reverse the change the setting can be set back to not configured.

Preferences work in a similar manner to Policies but once 'enabled' are 'tattoed'. To reverse the change the setting will need to be 'disabled'. A good example of this is the map drive group policy preference on the user side. If you have configured a 'create a map drive' using the drive letter X then this will stay applied until you create a 'delete specific drive' setting to override the create.

If settings are set to not configured you are correct they will not show in GPMC.

Either of the settings above should clear the GPOs but you may well find they are linked to reg edits and/or batch files which would still be present.

Just to reiterate that a lot of older GPOs (since NT/2K) made heavy use of batch files and scripts to fill in the holes not covered natively by GP. These are the hardest to troubleshoot as its much easier writing scripts than reading them.

To enable a clean-up you would be best (if possible) to create new OUs, put in a couple of test clients and create new GPOs for these OUs. This would allow you to test settings in a more controlled environment. You would also have to prevent inheritance to stop the domain level GPOs from flowing down.

If you have any sort of development rig then the best idea would be to take a copy of your current AD environment and you can work knowing that you aren't going to disrupt peoples work.

Finally, GP is seriously powerful and be careful if you do have to work in a live environment.
0
 
LVL 35

Accepted Solution

by:
Nirmal Sharma earned 200 total points
ID: 39873106
You have three questions and these are answered below:

1. Delete Secedit.sdb or not?
No need to delete this file unless you have configured user rights assignment and Security Options found in GPO under Computer Configuration.

If you need to delete this then follow below approach:
a. Copy Secedit.sdb from a computer which is not join to the domain or GPO policies have not been applied yet.
b. Use Security and configuration analyzer mmc > open Secedit.sdb > export the configuration and reapply exported configuration using secedit.exe.

2. Should I delete below registry entries or not?

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Nicrosoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Yes, this is where registry GPO settings are applied. This is only applicable for computer account. You must also delete the same set of keys from User Hive also.

3. So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?

Yes. This is the best way to do it so far!

Sys.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question