none
Remove Group Policy settings from a client

    Question

  • Hi,

    Hope you can help me on this one. I have a server that is part of our domain and as such it had Group Policy applied to it. One of the policy settings was to stop Windows Updates, as that is being managed by a 3rd party piece of software.

    I have been having a problem with this particular client (Windows Server 2008 R2 64bit) being at the correct patch level, so decided to manually download the Windows Updates. However, Group Policy is blocking me from doing this obviously. I have removed the computer account to a different OU that doesn't have this policy applied and still it reports that these settings are managed by your administrator. I did run gpupdate /force several times. I have removed the 3rd party patching software, but still no joy. I have then removed the client from the domain, and again ran gpupdate /force but the policy is still being applied.

    I have also, as segguested on another site, renamed the C:\Windows\security\database\secedit.sdb and edb.chk files but nothing changes.

    What I did next was join that client to another domain that doesn't have any Policies applied (a lab environment), but still the Windows Update settings are being controlled by the administrator.

    Just FYI, I cannot get into Services, or any other mmc, as I have a problem with IE and it prevents we launching it because it says it needs IE5.5 or higher. There is another post about this.

    Thanks in advance

    Tuesday, March 31, 2015 11:20 AM

Answers

  • Hi,

    Before going further, on the client, we can run command gpresult/h report.html with administrative privileges to collect group policy result report to check what settings are being applied.

    If we can't find the corresponding setting in the report above, we can try to delete the following registry keys on the computer and restart it to see if it helps:

    HKLM\Software\Policies\Microsoft

    HKCU\Software\Policies\Microsoft

    HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

    Regarding this point, the following thread can be referred to for more information.

    Group policy unable to apply firewall change on Windows 7 cilent - blocked

    https://social.technet.microsoft.com/Forums/fr-FR/b6613481-98e8-4c11-a15f-e42dd16d5efa/group-policy-unable-to-apply-firewall-change-on-windows-7-cilent-blocked?forum=winserverGP

    Important & Caution: Back up the registry before we modify it, because serious problems might occur if we modify the registry incorrectly.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Thursday, April 2, 2015 8:23 AM
    Moderator
  • run rsop.exe from an elevated command prompt to see what policies are applied to the server at the moment.

    run gpedit.msc to check if there are local policies applied on the server...

    • Marked as answer by AshPoxon Wednesday, April 8, 2015 2:33 PM
    Thursday, April 2, 2015 2:45 PM

All replies

  • Try to reset GPO settings to default values this way:

    http://woshub.com/reset-local-group-policies-settings-in-windows/#h2_3

    Tuesday, March 31, 2015 11:45 AM
  • Hi,

    Before going further, on the client, we can run command gpresult/h report.html with administrative privileges to collect group policy result report to check what settings are being applied.

    If we can't find the corresponding setting in the report above, we can try to delete the following registry keys on the computer and restart it to see if it helps:

    HKLM\Software\Policies\Microsoft

    HKCU\Software\Policies\Microsoft

    HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

    Regarding this point, the following thread can be referred to for more information.

    Group policy unable to apply firewall change on Windows 7 cilent - blocked

    https://social.technet.microsoft.com/Forums/fr-FR/b6613481-98e8-4c11-a15f-e42dd16d5efa/group-policy-unable-to-apply-firewall-change-on-windows-7-cilent-blocked?forum=winserverGP

    Important & Caution: Back up the registry before we modify it, because serious problems might occur if we modify the registry incorrectly.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Thursday, April 2, 2015 8:23 AM
    Moderator
  •    >> I have also, as segguested on another site, renamed the C:\Windows\security\database\secedit.sdb and edb.chk files but nothing changes.

    Have tried Gpupdate /force /boot post renaming it ? You better delete the secedit.sdh file and do a GPupdate /force and reboot.

    Deleting this file, completley trashes the group policies on the PC and forces a brand new refresh from the domain controller


    Devaraj G | Technical solution architect

    Thursday, April 2, 2015 1:34 PM
  • run rsop.exe from an elevated command prompt to see what policies are applied to the server at the moment.

    run gpedit.msc to check if there are local policies applied on the server...

    • Marked as answer by AshPoxon Wednesday, April 8, 2015 2:33 PM
    Thursday, April 2, 2015 2:45 PM