none
Undo every GPO-setting, including "persistent" changes?

    Question

  • Hello,

    i'm currently working with a customer that has been using Active Directory for the past 15 years, starting with SBS, migrating to Server 2003 and finally  to 2008 R2.

    The customer is running clients on any version of windows, some are 10 Year old machines, others are pretty new. 

    Over the past 15 years, administration of GPOs has been performed in a trial-and-error-fashion. GPOs have been created, applied to a few or all clients, if not working just deleted and so on.

    Ofc. just deleting a GPO does not "undo" the changes for certain Policies applied. The actual result is now that a huge amount of Computers is having old settings applied, of which the GPO has been deleted like 5 years ago. (Including, but not limited to: Scheduled tasks, running some Stuff every minute, Registry changes, and a lot of other "persistent" settings)

    The overall state is "inconsistent", at best, 20% of Clients behave the "same" way.

    Since I have never encountered such a way of "dealing" with gpos - I wonder if there is a way to completly "clean" a computer from ALL Settings EVER applied through GPOs without having to reinstall the Operating System?

    I think, that just leaving the domain and rejoining will not undo "persistent" changes like Registry-Value transformation and the like, would it? 

    (Unfortunatelly it is also impossible to deploy the proper "Reverting-GPOs", since nobody knows which settings have been modified on which clients...)

    Sunday, April 03, 2016 11:43 PM

Answers

  • Hi,

    The short answer is no, there is no way to completely remove everything that may have even been changed via GPO.

    A slightly expanded answer is this: if the changes were only ever made via well-written client side extensions (CSE) then removing the GPO would see the applied changes removed. However, even some of the Microsoft CSEs - such as the Internet Explorer maintenance CSE, were not written to be genuinely policy based, but rather a well presented registry tattooing extension. This means that rather than the effective setting being written to the policy branch, the "real" value in the original registry location was changed in which case it is not possible to unwind this through removing the GPO. In this scenario, the value is simply left in place.

    As something of an aside, given I used the IE maintenance CSE as a point of reference, there is/was (it was removed with the release of IE10) a "reset policy" context menu option, however, some string values (such as the proxy server value) were actually reset to an empty string, not removed from the registry as they should have been resulting in even more obscure issues that wouldn't even show up correctly in the resultant set of policy. The only point in mentioning this is that it's the next closest thing to impossible to know if you've really removed all settings when removing group policies.

    There was also another group of settings - which were hidden by default, called registry-based policy settings. These followed the same paradigm as the IE maintenance CSE above meaning they, too, cannot be unwound. Group Policy Preferences are a more advanced implementation of this paradigm and allow for some recovery options but I think these are outside the scope of what you're talking about.

    If you're really desperate to ensure no policy settings are applied then you're going to have to go to the effort of creating a new reference image free of policy intervention (which shouldn't be an issue since your reference image should be a workgroup machine prior to being sysprep'd in any case).

    Cheers,
    Lain

    • Marked as answer by dognose Monday, April 04, 2016 3:59 PM
    Monday, April 04, 2016 12:55 AM

All replies

  • Hi,

    The short answer is no, there is no way to completely remove everything that may have even been changed via GPO.

    A slightly expanded answer is this: if the changes were only ever made via well-written client side extensions (CSE) then removing the GPO would see the applied changes removed. However, even some of the Microsoft CSEs - such as the Internet Explorer maintenance CSE, were not written to be genuinely policy based, but rather a well presented registry tattooing extension. This means that rather than the effective setting being written to the policy branch, the "real" value in the original registry location was changed in which case it is not possible to unwind this through removing the GPO. In this scenario, the value is simply left in place.

    As something of an aside, given I used the IE maintenance CSE as a point of reference, there is/was (it was removed with the release of IE10) a "reset policy" context menu option, however, some string values (such as the proxy server value) were actually reset to an empty string, not removed from the registry as they should have been resulting in even more obscure issues that wouldn't even show up correctly in the resultant set of policy. The only point in mentioning this is that it's the next closest thing to impossible to know if you've really removed all settings when removing group policies.

    There was also another group of settings - which were hidden by default, called registry-based policy settings. These followed the same paradigm as the IE maintenance CSE above meaning they, too, cannot be unwound. Group Policy Preferences are a more advanced implementation of this paradigm and allow for some recovery options but I think these are outside the scope of what you're talking about.

    If you're really desperate to ensure no policy settings are applied then you're going to have to go to the effort of creating a new reference image free of policy intervention (which shouldn't be an issue since your reference image should be a workgroup machine prior to being sysprep'd in any case).

    Cheers,
    Lain

    • Marked as answer by dognose Monday, April 04, 2016 3:59 PM
    Monday, April 04, 2016 12:55 AM
  • Since I have never encountered such a way of "dealing" with gpos - I wonder if there is a way to completly "clean" a computer from ALL Settings EVER applied through GPOs without having to reinstall the Operating System?

    Unfortunately, there is no way. Remember, that only GPO's "preferences" (not policies) would remain after GPO deletion. And maybe some scripts with registry changes.

    What you can do is to find "registry changes" which disturb users. Or go straight to an old computer and investigate does it work properly, go to scheduled tasks look for it settings. Then based on this research, create "reverting GPOs". However, non-disturbing trash will remain.

    I personally recommend to reinstall old computers, or better recycle them. 5 years old computer without refreshing OS -> too much time. Actually, it's time even to replace those computers. But, everything is up to.

    Monday, April 04, 2016 1:00 AM
  • Thx for the answers, I already expected (or almost knew) that it is not possible.

    So, I have another reason to recommend the "firm-wide" replacement of outdated machines, at least :-)

    best,
    dognose

    Monday, April 04, 2016 3:58 PM