Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Group Policy Clean up @ My Company

Posted on 2014-02-19
3
Medium Priority
?
306 Views
Last Modified: 2014-12-29
Good morning everyone.

I have been tasked with cleaning up the disaster that is my company's group policy..... I'm in need of some clarification...

Easy Example:
Control Panel/Personalization/Prevent Changing Screen Saver     ENABLED

So If I understand group policy correctly, since this setting is "flipped on" (ive read this also referred to as "tattooed") even though I choose "not configured", it will stay "flipped on" until it is "flipped off" correct?  So for me to clean this setting, I have to flip it to Disabled, let it sit for a while and then set it to "not configured".  Is that correct?

Now, I am working in a Group Policy environment that has existed since this company went to active directory a thousand years ago.... It has been used and abused.  I am thinking that there are probably settings all over the place that have been "flipped on" and never "flipped off".  The only way I can think to get around this is to clear the GPO policy on the client machines and force a GPO update..... I've taken a look around and found I can do either of the following:

 Delete C:\WINDOWS\security\Database\secedit.sdb
GPupdate /force

or should i just delete

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Nicrosoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

then a gupdate /force

Think I can add a script to their login .bat files that does this safely?


2nd Example:
Folder Redirection Downloads : Enabled

So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?


One more question, if settings are set to "not configured" will they show up on the GPMC when click the "Settings" tab?  (im thinking the answer is no...)

Thanks for your help!
0
Comment
Question by:vrmanrtell
3 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39872323
I'm going to lurk more than anything, but the first question I would have is what is the functional level if the domain. The second would be what os is on the clients.
0
 
LVL 17

Assisted Solution

by:James Haywood
James Haywood earned 800 total points
ID: 39872716
Policies vs Preferences

Policies are usually defaulted to 'Not Configured' and can usually be enabled or disabled. To reverse the change the setting can be set back to not configured.

Preferences work in a similar manner to Policies but once 'enabled' are 'tattoed'. To reverse the change the setting will need to be 'disabled'. A good example of this is the map drive group policy preference on the user side. If you have configured a 'create a map drive' using the drive letter X then this will stay applied until you create a 'delete specific drive' setting to override the create.

If settings are set to not configured you are correct they will not show in GPMC.

Either of the settings above should clear the GPOs but you may well find they are linked to reg edits and/or batch files which would still be present.

Just to reiterate that a lot of older GPOs (since NT/2K) made heavy use of batch files and scripts to fill in the holes not covered natively by GP. These are the hardest to troubleshoot as its much easier writing scripts than reading them.

To enable a clean-up you would be best (if possible) to create new OUs, put in a couple of test clients and create new GPOs for these OUs. This would allow you to test settings in a more controlled environment. You would also have to prevent inheritance to stop the domain level GPOs from flowing down.

If you have any sort of development rig then the best idea would be to take a copy of your current AD environment and you can work knowing that you aren't going to disrupt peoples work.

Finally, GP is seriously powerful and be careful if you do have to work in a live environment.
0
 
LVL 35

Accepted Solution

by:
Nirmal Sharma earned 800 total points
ID: 39873106
You have three questions and these are answered below:

1. Delete Secedit.sdb or not?
No need to delete this file unless you have configured user rights assignment and Security Options found in GPO under Computer Configuration.

If you need to delete this then follow below approach:
a. Copy Secedit.sdb from a computer which is not join to the domain or GPO policies have not been applied yet.
b. Use Security and configuration analyzer mmc > open Secedit.sdb > export the configuration and reapply exported configuration using secedit.exe.

2. Should I delete below registry entries or not?

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Nicrosoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Yes, this is where registry GPO settings are applied. This is only applicable for computer account. You must also delete the same set of keys from User Hive also.

3. So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?

Yes. This is the best way to do it so far!

Sys.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question