none
how to find local group policy

    Question

  • Hello 

    I am Active Directory admin.

    just wanted to know if there is a way to find out only the local group policy applied to client machine. i dont want domain pushed GP

    thanks


    NA

    Thursday, October 6, 2016 9:18 PM

Answers

  • Hi,
     
    Am 06.10.2016 um 23:18 schrieb Masthanomatic:
    > just wanted to know if there is a way to find out only the local group
    > policy applied to client machine. i dont want domain pushed GP
     
    Collect c:\Windows\system32\GroupPolicy from every machine and do a
    "secedit /export" from them aswell.
     
    Use Get-GPRegistryValue to read registry settings inside the collected
    registry.pol file and write it into a CSV.
     
    CSV and INF can be imported to Excel and you can create file for every
    machine.
     
    Or just simply delete all local policies and simply ignore them. No one
    needs them, because they are individual per machine ... as an Domain
    Admin, you do not want that.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, October 7, 2016 10:46 AM
  • Hi,

    just wanted to know if there is a way to find out only the local group policy applied to client machine. i dont want domain pushed GP

    >>>Based on my experience, if the client machine is a member of domain, it cannot only apply local group policy, it will apply default domain policy at least.

    If you just want to see the applied local group policy, you could logon with local administrator and run gpresult /h gpreport.html.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 10, 2016 6:02 AM
    Moderator

All replies

  • Hi,
     
    Am 06.10.2016 um 23:18 schrieb Masthanomatic:
    > just wanted to know if there is a way to find out only the local group
    > policy applied to client machine. i dont want domain pushed GP
     
    Collect c:\Windows\system32\GroupPolicy from every machine and do a
    "secedit /export" from them aswell.
     
    Use Get-GPRegistryValue to read registry settings inside the collected
    registry.pol file and write it into a CSV.
     
    CSV and INF can be imported to Excel and you can create file for every
    machine.
     
    Or just simply delete all local policies and simply ignore them. No one
    needs them, because they are individual per machine ... as an Domain
    Admin, you do not want that.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, October 7, 2016 10:46 AM
  • Have you tried GPResult. Is that sufficient? 

    Santhosh Sivarajan | Houston, TX | www.sivarajan.com
    ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA

    My Books: | Windows Server Security | Windows Server 2012

    Blogs | Twitter | LinkedIn | Facebook|

    This posting is provided AS IS with no warranties, and confers no rights.

    Sunday, October 9, 2016 8:38 PM
  • Hi,

    just wanted to know if there is a way to find out only the local group policy applied to client machine. i dont want domain pushed GP

    >>>Based on my experience, if the client machine is a member of domain, it cannot only apply local group policy, it will apply default domain policy at least.

    If you just want to see the applied local group policy, you could logon with local administrator and run gpresult /h gpreport.html.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 10, 2016 6:02 AM
    Moderator
  • Hi,

    Are there any updates?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 17, 2016 2:29 AM
    Moderator
  • Hello

    Let me eloborate the issue,

    we have pushed OU level policy to set the home page in IE via Group Policy Preference, so that users can modify the and select their home page

    However their are lots of user for whom disable home page is enabled in the local machine, which is overwriting the OU level GPP. 

    Can anyone tell me is there a way to remove this local home page policy, so that all the users get the OU level GPP

    thanks


    NA

    Thursday, October 27, 2016 7:50 PM
  • Hi,
     
    Am 27.10.2016 um 21:50 schrieb Masthanomatic:
    > Can anyone tell me is there a way to remove this local home page
    > policy, so that all the users get the OU level GPP
     
    Do not bother about removing a single setting, remove the complete set.
    Delete all content in c:\windows\system32\grouppolicy
    on all maschines and run a gpupdate /force
     
    2 line computerstartup script ;-)
     
    No one need the local AdmTemplate Settings, when in a domain
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, October 28, 2016 7:15 AM
  • However their are lots of user for whom disable home page is enabled in the local machine

    Set that (User) setting = Disabled, in the Domain GPO  ?

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, October 28, 2016 7:54 AM
  • Hello Mark,

    thanks for the reply

    when i goto c:\windows\system32\grouppolicyusers there is no setting available

    However when running gpresult  /r, Local Group policy as applied in both User and Computer Configuration.

    Please advise


    NA

    Friday, October 28, 2016 2:32 PM
  • Hi,
     
    Am 28.10.2016 um 16:32 schrieb Masthanomatic:
    > when i goto c:\windows\system32\grouppolicyusers there is no setting
    > available
     
    Proxy can be blocked on machine level aswell.
    Thats why I said, get rif of all this f****ing local ADM settings.
     
    Also, it does not need to come from LGPO, probably the RegSetting was
    directly set by *.reg, by imaging of a domain client, by script, by
    softwaredeployment, by ...
     
    Delete all
    HKCU and HKLM\
    Software\Policies
    Software\Microsoft\Windows\CurrentVersion\Policies in Registry
    delete content of C:\Windows\System32\GroupPolicy
    and run a gpupdate /force, to only write .\Policies that come from a domain
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, October 28, 2016 3:23 PM
  • Hello 

    Now how can i do it for 1000 plus users, please can you suggest any script for this.

    I definately agree to delete all the local GPO, but the IT manager would not agree.

    so  if i want to delete one local setting, how to identify that . How

    thanks for help

    Thanks


    NA

    Friday, October 28, 2016 3:54 PM
  • Hi,
     
    Am 28.10.2016 um 17:54 schrieb Masthanomatic:
    > Now how can i do it for 1000 plus users, please can you suggest any
    > script for this.
     
    "delete" in a Batch to delete local "registry.pol" and "reg.exe delete"
    are not rocket science?
     
    > I definately agree to delete all the local GPO, but the IT manager
    > would not agree.
     
    Oh, cool. Easy solution: move your problem from level 1 to level 2 or 3
    in Helpdesk, than it´s his own problem.
     
    > so  if i want to delete one local setting, how to identify that .
     
    You CAN NOT(!) delete a single policy settings that comes from a LGPO
    inside a registry.pol file in a easy way. LGPO was never ment to be
    scriptet. It was always ment to be clicked.
     
    To edit the LOCAL registry.pol file, there is a VB possibility.
    The powershell commandlets can only edit Domain GPOs.
     
    Best solution from my point of view:
    a) delete LGPO, that a simple batch, just delete to folders and a .ini
    just because you can not EDIT inside the registry.pol file easily by script
     
    b) If this does not lead into a solution, because the RegValue wasn´t
    written by LGPO, then create scripts with "reg.exe delete", run them
    after logging in of a user as a task in SYSTEM context.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, October 28, 2016 5:29 PM