removing group policy settings.

  • Thread starter Thread starter Bill B
  • Start date Start date
B

Bill B

What is the process for flushing a domain group policy from a system after
it leaves the domain- specificly the security policies

I have a couple of laptops that hop between different domains and sometimes
are just workgroup members. After i leave a domain to join a workgroup, my
effective settings are still those of the domain and are overriding my local
security policy.

Thanks.

Bill
 
By default Security settings remain after the client is removed from the
domain. You will have to edit them on the client manualy. On the other hand,
GPO's are reverted back to the client previous settings.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
 
By default Security settings remain after the client is removed from the
domain. You will have to edit them on the client manualy. On the other hand,
GPO's are reverted back to the client previous settings.
Click to expand...

When you say "security settings remain" are you indicating
the Windows\Security portion of the GPO or something
else?

How does that jibe with "GPO's are reverted"?

How about Administrative Template settings? They don't suffer
from Registry Tattooing any longer, right?
 
There is a domain security policy that is applied to all systems on the
domain- auditing settings, user rights, etc. This gets applied to the
laptops when they join the domain. not useing GPOs per se, but isnt a domian
securtiy policy really just a GPO?

My problem is if I take the laptop offsite and join it to a workgroup, the
domain level security policy settings remain and it still override the local
ones.

Basically i need to know if its possible to clear out the domain level
settings that are overriding the local settings if the system is no longer a
member of the domain?

thanks

Bill
 
Yes, Security portion of the GPO (the one that you control trough Security
Analysis Tool mmc) remains even after you disconnect the workstation from
domain. This is quite expected, as if you create a GPO on a OU which holds
computer objects. If you setup security settings in that GPO, this actually
affects Local Security Policy on those computers. After you remove those
computers from domain its Local Security Policy remains the same. Naturally
if you move this computer to another domain, new policies take precedence,
except those which are Not Defined in new domain. This is for Security part.
For Administrative templates, which are basically a Registry keys, they
revert, when client changes OU location/domain membership, as they are
basically written in registry under special reg. keys. (policy and stuff).
So basically for Security setting to become invalidated it is not enough to
specify it as Not Defined in target domain, but to disabled/enabled, because
as the article at the bottom says, your system is "tattooed" with Security
settings.

One quick link on this subject:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/615.asp

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
 
Back
Top