none
LAPS - GPO Removal

    Question

  • If a workstation\server received the GPO to configure local admin management, what happens on the workstation\server that is no longer in scope of the policy. 

    The workstation I am testing with has been moved to another OU which does not have the LAPS GPO linked to it.  But after a reboot of the workstation, RSOP still shows the policy being applied.

    Thoughts?

    Thanks

    Paul


    Paul Glickenhaus

    Thursday, January 5, 2017 9:37 PM

All replies

  • Hi Paul,
    What policies are configured in the GPO?
    You could have a try to exclude individual computers from a GPO following the article as below step by step and see if it works:
    http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 6, 2017 5:57 AM
    Moderator
  • Am 05.01.2017 um 22:37 schrieb PJGLICK1:
    > If a workstation\server received the GPO to configure local admin
    > management, what happens on the workstation\server that is no longer
    > in scope of the policy.
     
    If the GPO was succesfully applied before, the Admin password was set
    and written into the AD attribute of the machineobject.
     
    When GPO is removed, only the ruleset of the GPO will be removed.
    The CSE/DLL is still registered and deployed (if it was not deployed by
    GPSI and removed aswell, by removing the GPO). The Password auf the
    local AdminAccount is still set, to the one that is written into AD.
     
    > The workstation I am testing with has been moved to another OU which
    > does not have the LAPS GPO linked to it.  But after a reboot of the
    > workstation, RSOP still shows the policy being applied.
     
    Wait for Replication, wait 2 hours, if GPO is still appplied, the object
    is still in the Scope of Management.
    Probably the GPO is linked "above" or not filtered corectly.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, January 6, 2017 11:46 AM