Group policy still applying even though disable on domain

  • Thread starter Thread starter Boe
  • Start date Start date
B

Boe

I am having issues with the default domain policy applying to my computer
even though it is disabled on the domain and am looking for a way to to
remove all references to it on the local machine if possible.

Here is a brief synopsis of what I have done that led me to this point:
1.Machine was currently on the domain while I used Security Configuration
and Analysis tool to make some changes to the local machine as part of a
security checklist.
2.Noticed that changes were not applying on this machine, so I grabbed a
..sdb file I had created on another workstation and copied it over to this one.
3.I was able to make all the changes needed while using the new .sdb file.
Once everything was done, I removed it from the domain in preparation to
build an image of the drive.
4.After removing it from the domain and building the image of the drive, I
then went forth and re-added it to the domain. After the reboot and login, I
noticed that the changes I had made have been reverted back to what they were
before.
5.After running a gpresult /v on the computer, I noticed that the Default
Domain Policy was still being applied to this workstation.

I am not sure what my next course of action should be. Any help would be
greatly appreciated. If you need more info, please let me know.

Thank You,

Boe
 
Clarification:
I only removed the link between the Default Domain Policy and the Domain,but
that did not solve my issue. I was able to stop the policy from applying by
actually disabling the GPO. With that, I printed out a report with all of
the changes in the gpo and will modify it accordingly.
 
Hello boe,

If you play aorund with the default policies, you can not go back easily
to the startup settings. If you like to change settings in a GPO you have
to UNDO the change, if a setting was enabled you have to disable it. So create
for your needs always your own policies and think about if it should effect
the complete domain or better link it to OU's built on your needs. Then you
have to move the users or computers to the special OU's. Also the Password
policy has to be set on the domain level and on NO other place. It will no
twork if you configure it to another OU.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Meinolf,

Thanks for the reply. Unfortuantly, I was not the implementor of all of the
gpo's on this domain and from what I heard, when they were created, it was
more of a quick build by the previous sys admin. And all of the policy
modifications were done on the Default Domain Policy instead of a different
policy and applying it to an OU. The default gpo had many settings configured
that were opposite of what is required by our security checklist. I have
made everything as 'not defined' with the exception of the Password policies
and have built a new gpo and am applying it specifcally on the computer OU
that I had created. I was able to fix one issue by modifying the
sceregvl.inf to create a new gpo setting. However, the other one involving
removing the 'optional' key in "HKLM\system\currentcontrolset\control\session
manager\subsystems" has been my biggest pain so far...although at the time of
writing this reply, it appears to have stopped reappearing after policy is
applied. Will have to test it for a couple days to ensure that this is
resolved.
 
What are you asking Boe?
You said you built the machine out, removed it from the domain,
tweaked about with its local policy, then you say you joined it
back to the domain but sound surprised that the domain policies
were again being applied. That is just how it works, right?

Roger

PS. you should not disable or unlink the default domain policy
as it carries some settings that you really should want applied.
 
Back
Top