Solved

AD Group Policy issue reverse best practise

Posted on 2015-02-15
12
44 Views
Last Modified: 2015-02-26
we have 2008 ad running and connected with windows xp very few pcs , windows 7 and 8 on the client Pcs . I have notice that some issues like restart/shutdown option not available in the win 7 start menu level .
we have few changes in the default policy level in DC/domain . how can I check the applied policies in the AD level and the client end to go back to the AD default policy ,

I hope recommended way is to crate the new policies and keep the original or the default ones as it is .
0
Comment
Question by:cur
  • 5
  • 4
12 Comments
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40611712
I usually use gpresult /r (you'll need to use gpresult /v on the XP machines) along with RSoP.msc to check what Group Policies and settings are applying.

Run both of these commands in an elevated Command Prompt window when you are logged in as the user so you can see what computer-level GPOs are applying as well.
0
 

Author Comment

by:cur
ID: 40611744
thanks I will check that way . I have realized that some times above result will not show anything block from the policy level . but reality is my pc's CD rom got block and still the deny access
I have remove the pc membership affect the same and working . it seems be in AD policy will not removing after policy remove  . Anything we can do for that
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
ID: 40611791
That generally happens when somebody has implemented a non-standard setting, either through registry entries or some sort of custom ADM file.

You can look at deleting the below keys from the registry on your machine to clear out any orphaned Group Policy settings. Make sure you take a backup of these registry keys before deleting them:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Key
HKEY_CURRENT_USER\Software\Policies\Microsoft
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Open in new window

0
 

Author Comment

by:cur
ID: 40611819
thanks for your information . Is there any way we can rollback the AD policies back to the original . I can remember some kind of template to apply  ?  there are some standard template in win 2003 . how about in 2008 r2 AD
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 500 total points
ID: 40611827
You can use the dcgpofix command to reset the Default Domain Policy and Default Domain Controllers Policy back to their default settings. These are the only two policies that come shipped with Windows by default.

More information on this command can be found here: https://technet.microsoft.com/en-us/library/hh875588.aspx

You'll then need to browse through each OU in the Group Policy Management Console and either unlink or delete the GPO from applying, with the exception of the Default Domain Policy at the root of the domain and Default Domain Controllers Policy in the Domain Controllers OU.
0
 

Author Comment

by:cur
ID: 40611830
is there any best tool I can used to monitor any changes to AD will written to log or email to the next reporting  level  . with the AD I would like to have something in the windows auditing or third party tool . I hope theses tools or audit report will not affecting the AD performance
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40611895
This is more suited for a separate question on EE to be honest, as this will give other experts the chance to have their input. The more opinions, the better I say!
0
 

Author Comment

by:cur
ID: 40613885
I hope this will come under the same category . Can any one give us any reference in to this
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40613943
Well your original question was how to check which Group Policies were applying in your environment.

You would now like suggestions for AD auditing tools which is completely different from your original question.

I will use the Request attention feature to get some input from a moderator so we can then decide what should be done next as I believe I have answered your original question.
0

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now