none
clearing old GPO settings RRS feed

  • Question

  • We have a fleet of laptops within our domain, and some of the GPO settings applied to them are causing VPN functionality issues. 
    We have created new GPOs which do not have the issue, however when we move the laptops to the new OU it seems like the previous problemmatic GPO settings are cached and remain in play. If we deploy a new laptop in the new OU with the new GPOs we have no problems.

    I need to be able to clear out the old settings without removing the machine from the domain, or reimaging the laptops.

    I have tried this script with success on only one out of 4 laptops, perhaps someone can help me figure out what's missing or incorrect. I created this from info found all over the web.

    Any help is much appreciated!

    DEL /S /F /Q "%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History\*.*"
    REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
    REG DELETE HKLM\SOFTWARE\Policies\Microsoft /f
    REG DELETE HKLM\SOFTWARE\Policies\Microsoft /f
    REG DELETE "HKCU\Software\Microsoft\Windows\Currentversion\Group Policy Objects" /f
    REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
    DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
    Klist purge
    gpupdate /force
    gpupdate /force /boot
    gpupdate /boot

    I get some 'partial' errors when I run it:

    C:\Users\michsmit\Desktop>gpclear.bat

    C:\Users\michsmit\Desktop>DEL /S /F /Q "C:\ProgramData\Application Data\Microsof
    t\Group Policy\History\*.*"
    Deleted file - C:\ProgramData\Application Data\Microsoft\Group Policy\History\{0
    6941B5C-7B72-4690-BBCB-00B58A93DB96}\Machine\Preferences\Registry\Registry.xml
    Deleted file - C:\ProgramData\Application Data\Microsoft\Group Policy\History\{9
    61FFDE4-84B1-4F5D-8C66-F787823C1496}\Machine\Preferences\Groups\Groups.xml
    Deleted file - C:\ProgramData\Application Data\Microsoft\Group Policy\History\{C
    39202D9-A82F-43E4-8364-19F182F07FBE}\Machine\Preferences\Registry\Registry.xml

    C:\Users\michsmit\Desktop>REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVers
    ion\Policies /f
    The operation completed successfully.

    C:\Users\michsmit\Desktop>REG DELETE HKLM\SOFTWARE\Policies\Microsoft /f
    ERROR: Delete request is partially completed.

    C:\Users\michsmit\Desktop>REG DELETE HKLM\SOFTWARE\Policies\Microsoft /f
    ERROR: Delete request is partially completed.

    C:\Users\michsmit\Desktop>REG DELETE "HKCU\Software\Microsoft\Windows\Currentver
    sion\Group Policy Objects" /f
    ERROR: The system was unable to find the specified registry key or value.

    C:\Users\michsmit\Desktop>REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVers
    ion\Policies /f
    The operation completed successfully.

    C:\Users\michsmit\Desktop>DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb

    C:\Users\michsmit\Desktop>Klist purge

    Current LogonId is 0:0x9c423
            Deleting all tickets:
            Ticket(s) purged!

    C:\Users\michsmit\Desktop>gpupdate /force
    Updating Policy...

    User Policy update has completed successfully.
    Friday, October 16, 2015 2:00 PM

Answers

  • Hi,

    Thank you for your reply.

    However, I am so sorry to tell you that you have to get out of the domain to clear cached domain GPO. When you are in the domain, you just can clear local GPO via the steps above and you cannot clean cached domain GPO. If you want to delete all the files in the folder manually, you will not able to perform it due to you do not have the permission to modify the GPO which is been applying in the domain

    Wish you have a nice day.

    Best Regards

    Simon  


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, October 21, 2015 9:47 AM
    Moderator

All replies

  • Hi,

    Based on my test, the script itself may have no problem, the reason which cause the script error is the GPO in domain. If you are in the domain, the script will just clear local cached GPO, it will not clean domain GPO due to you are still in the domain and the domain GPO will always applied. I suggest you let the PC out of domain first, then run your script for test.

    Also, I have a common way to clear cached GPO, you can follow the steps to realize.

    1. Let the PC out of the domain firstly. If you do not let the PC out of domain, you just can clear the local cached GPO.

    2.     Browse to “C:\ProgramData\Microsoft\Group Policy\History 

    2. Delete all of the contents under the History folder

    3. Open the command prompt and run “GPUpdate /force”

    4. Reboot the system

    Wish you have a nice day.

    Best Regards

    Simon  


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.




    Tuesday, October 20, 2015 4:42 AM
    Moderator
  • Hi, if I remove it from the domain and do a gpupdate /force and reboot then it works no problem... but I need to be able to avoid removing the machine from the domain and still remove the domain GPO settings and refresh them.

    If I delete those folder contents on a domain-joined machine will that clear the domain gpo and refresh it?

    Tuesday, October 20, 2015 1:52 PM
  • Hi,

    Thank you for your reply.

    However, I am so sorry to tell you that you have to get out of the domain to clear cached domain GPO. When you are in the domain, you just can clear local GPO via the steps above and you cannot clean cached domain GPO. If you want to delete all the files in the folder manually, you will not able to perform it due to you do not have the permission to modify the GPO which is been applying in the domain

    Wish you have a nice day.

    Best Regards

    Simon  


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, October 21, 2015 9:47 AM
    Moderator