none
Settings can not be changed after GPO is removed

    Question

  • Hello,

    I have noticed over the past couple years that when we change or remove group policies based on changes in our environment, the settings on our computers change and still give that fun message stating "Some settings are managed by your system administrator" and will not allow you to modify them.  I have tried multiple things while searching forums about this, including applying a new GPO to hopefully overwrite the old one; deleting registry keys which are supposed to remove the old policies; removing the machine from the domain, then running gpupdate /force, and rejoining; and others I cannot think of off the top of my head.  In the end, the settings remain the same and remain unchangeable.  The only way I have found to get rid of these settings is to wipe the machine and reinstall Windows.  Two examples of settings I am talking about:

    1) We had a GPO which pushed out SSIDs to our laptops.  At some point, we made changes to the SSIDs that we use, and changed the GPO accordingly.  The new SSIDs were pushed out, but the old ones remain and still do not allow for removing them manually on the computer - even though the old policy no longer even exists.  So users who have been around long enough to remember the old ones still get confused and sometimes try connecting to these because they auto-populate in the list even though they are not an actual broadcast SSID anymore.

    2)  Similar story as above, but with power settings.  Things like changing the behavior of pressing the power button, closing the lid on laptops, timeouts for turning off the screen and putting the computer to sleep.  We have found the need to change these settings for some users/computers, but when we remove the old GPO and apply a new GPO to overwrite these settings, they do not take effect.  Also, they cannot be changed manually if the old GPO is removed and no new GPO is applied.

    Has anybody else run into this issue, and found a way around it other than re-imaging?  Preferably it also does not involve removing the machine from the domain and rejoining... as a couple machines in our organization that have fallen victim to this are servers.  Any help would be greatly appreciated!

    Friday, July 15, 2016 9:04 PM

Answers

  • Hi,
    Please have a try as below:
    1. After the machine is dis-joined from the DC (Domain Controller), login using the local (machine) administrator account.
    2. Go to Start>Run, and type 'cmd' (without the quotes) and press Enter
    3. Type 'gpupdate /force /boot' and press Enter.
    4. Once it's complete, reboot. The old group policy is gone.
    Basically, how this works is it (since it gets no policy when you run the command), it applies an empty policy, which effectively removes the stuck policy once and for all.
    If you run into problems, 'gpresult /H GPReport.html', if you see the DC or evidence that it pulled a policy; separate your computer from the network that's running on the DC, and plug the machine into a separate network.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 29, 2016 1:52 AM
    Moderator

All replies

  • Hi; have you tried the following steps?  They are taken verbatim from:  https://social.technet.microsoft.com/Forums/en-US/2a733a00-97e4-40c7-bf44-62427eb26324/removing-old-gpo-settings?forum=ieitprocurrentver  

    Please run following commands to reset GPO: 

    RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
    RD /S /Q "%WinDir%\System32\GroupPolicy"
    gpupdate /force

    If the issue perisits, please try to delete all group policy registry keys.
    1. Click “Start”, type “regedit.exe” (without quotation marks) into “Start Search” box and press Enter.
    2. Locate the following key:
     
    [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft]
     
    Right click on "Microsoft", click "Export"; please name the file as "RegBackup" (without quotation marks) and then save it to the C:\ drive as a backup. 
     
    Note: In case we need to undo the modification, we can double click this RegBackup.reg file to restore the registry key.
    3. Highlight Microsoft and click "Delete".
    4. Please repeat the above steps for the following registry keys.
     
    [HKEY_CURRENT_USER\Software\Policies\Microsoft]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
    Note: if some keys do not exist, please ignore them.

    5. Exit the Registry Editor.


    Best Regards, Todd Heron | Active Directory Consultant

    Saturday, July 16, 2016 12:42 AM
  • Hi,
    In addition, please have a try as below to see if it works:
    1. Drop the PC from domain and make it stand alone
    2. Delete the secedit database: C:\WINDOWS\security\Database\secedit.sdb
    3. Reboot
    4. Rejoin to your domain
    5. Run GPUpdate /force command
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 18, 2016 6:00 AM
    Moderator
  • Unfortunately, Neither of these worked. 

    For Todd's suggestion, I found another post that suggested deleting these same keys, which I tried before posting here... I tried them again, and it was still unsuccessful.  I was not able to completely delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft, it threw an error stating there was a problem (of course it did not say what the problem was though).  It deleted all but two keys underneath it:  "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows" and "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender."

    For Wendy's suggestion, I went through all the steps and rejoined the domain.  The settings are still greyed out and I am not able to change them.

    Thursday, July 21, 2016 3:06 PM
  • Hi,
    If you deleted GPO from one DC and you have more than one domain controllers in your environment, maybe there are some replication issues in the domain. Please take a look from the side.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 26, 2016 4:41 AM
    Moderator
  • We have three domain controllers, and based on my testing there is no issue with replication.  If I make a change (in AD Users and Groups, or Group Policy, etc.) on one, I can go to the other two and see the change reflected pretty much immediately.  I do not believe this is a problem with the domain controllers or Group Policy, as the settings I no longer wish to have are still present even when the computer is removed from the domain.  Also, they do not get applied to newly imaged computers that are joined to the domain.  It seems more of a Windows issue to me - I am just trying to figure out what I need to do to "unlock" these settings.  There have to be registry settings or something that are making the computer think it still has these old policies, but where?
    Tuesday, July 26, 2016 7:13 PM
  • Hi,
    Please have a try as below:
    1. After the machine is dis-joined from the DC (Domain Controller), login using the local (machine) administrator account.
    2. Go to Start>Run, and type 'cmd' (without the quotes) and press Enter
    3. Type 'gpupdate /force /boot' and press Enter.
    4. Once it's complete, reboot. The old group policy is gone.
    Basically, how this works is it (since it gets no policy when you run the command), it applies an empty policy, which effectively removes the stuck policy once and for all.
    If you run into problems, 'gpresult /H GPReport.html', if you see the DC or evidence that it pulled a policy; separate your computer from the network that's running on the DC, and plug the machine into a separate network.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 29, 2016 1:52 AM
    Moderator