GPO Understanding

I was curious as to why you would want to rollback a GPO?

(I am student trying to understand and GPO's are a tough one for me.)
Brandon McLeodAsked:
Who is Participating?
DrDave242Connect With a Mentor Commented:
Are you referring to this?

If so, the main reason would be to undo changes that were made in the newer version of the GPO by reverting to an earlier version (as opposed to undoing those changes manually).
LearnctxConnect With a Mentor EngineerCommented:
Rolling back a GPO would usually be done because the new version of the GPO has introduced a problem into your environment. To understand why you would roll back a GPO I would recommend you read into what a GPO is. In quick summary, a GPO is a policy stored in Active Directory that enforces settings on Windows clients. The policies apply to either users, computers, or both. GPO's are key to Active Directory computer/user management, so I would recommend investing time reading about them and practising them in a lab.

2 Real world examples I have come across in recent months where you would want to roll back a GPO. I've glossed over the details and kept it brief because otherwise you could write hundred's of pages on these scenarios.

1. Busted IE settings...

The desktop platform owner at one of my clients with around 80,000 desktop machines rolled out a new version of a GPO with some updated IE preference settings. They had not correctly set up the GPO or tested it. The outcome, all clients lost Internet connectivity, browser customisations (home page, proxy settings, etc.). In this case the solution was 2 fold.

  1. Roll back the GPO.
  2. Re-mediate the GPO settings which had been tattooed and could not be removed with a simple GPO roll back.

2. Firewall SNAFU...

At a client with a large server fleet of around 10,000 Windows servers, a junior engineer requested a GPO be linked to the wrong OU. This turned on a GPO with new Windows Firewall rules that over rode the existing firewall rules. The GPO was linked for around 20 minutes and during this time 1,000 servers updated their GPO cache and applied the new GPO. This caused those servers to become un-contactable inbound or outbound and caused outages across hundred's of applications and/or services across the company including overnight batch operations. The client was in finance so the batch failures were critical. The solution was to unlink the GPO and wait for the servers to refresh their GPO cache again (90 minutes + random time between 0 and 30 minutes).

Rolling back a GPO can mean many things. If you're using AGPM, you would be talking about pushing out the previous version of the GPO. If you're not using AGPM you could be talking about editing the GPO live or unlinking the current version and re-linking the older version. For clarity, AGPM is a product you from Microsoft as part of MDOP (Microsoft Desktop Optimisation Pack) in your EA (enterprise agreement).
Both answers are relevant and contain useful information.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.