GPO Understanding

I was curious as to why you would want to rollback a GPO?

(I am student trying to understand and GPO's are a tough one for me.)
Brandon McLeodAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you referring to this?

If so, the main reason would be to undo changes that were made in the newer version of the GPO by reverting to an earlier version (as opposed to undoing those changes manually).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rolling back a GPO would usually be done because the new version of the GPO has introduced a problem into your environment. To understand why you would roll back a GPO I would recommend you read into what a GPO is. In quick summary, a GPO is a policy stored in Active Directory that enforces settings on Windows clients. The policies apply to either users, computers, or both. GPO's are key to Active Directory computer/user management, so I would recommend investing time reading about them and practising them in a lab.

2 Real world examples I have come across in recent months where you would want to roll back a GPO. I've glossed over the details and kept it brief because otherwise you could write hundred's of pages on these scenarios.

1. Busted IE settings...

The desktop platform owner at one of my clients with around 80,000 desktop machines rolled out a new version of a GPO with some updated IE preference settings. They had not correctly set up the GPO or tested it. The outcome, all clients lost Internet connectivity, browser customisations (home page, proxy settings, etc.). In this case the solution was 2 fold.

  1. Roll back the GPO.
  2. Re-mediate the GPO settings which had been tattooed and could not be removed with a simple GPO roll back.

2. Firewall SNAFU...

At a client with a large server fleet of around 10,000 Windows servers, a junior engineer requested a GPO be linked to the wrong OU. This turned on a GPO with new Windows Firewall rules that over rode the existing firewall rules. The GPO was linked for around 20 minutes and during this time 1,000 servers updated their GPO cache and applied the new GPO. This caused those servers to become un-contactable inbound or outbound and caused outages across hundred's of applications and/or services across the company including overnight batch operations. The client was in finance so the batch failures were critical. The solution was to unlink the GPO and wait for the servers to refresh their GPO cache again (90 minutes + random time between 0 and 30 minutes).

Rolling back a GPO can mean many things. If you're using AGPM, you would be talking about pushing out the previous version of the GPO. If you're not using AGPM you could be talking about editing the GPO live or unlinking the current version and re-linking the older version. For clarity, AGPM is a product you from Microsoft as part of MDOP (Microsoft Desktop Optimisation Pack) in your EA (enterprise agreement).
Both answers are relevant and contain useful information.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.