Re: How to clear GP on a workstation
From: Mark Renoden [MSFT] (markreno_at_online.microsoft.com)
Date: Fri, 29 Oct 2004 08:18:16 +1000
Was there originally more than one DC? The new PDCe that you built was
added to the domain or you created the domain from scratch?
My suggestion initially would be to get GPMC installed on an XP client or a
2003 member/DC and have a better look at how things are put together ...
which GPO's are applying from where and then map it out.
Secondly, try placing all the client machines and users in a single OU just
under the domain. Make sure no GPO's are linked here and block policy
inheritance. Make sure the Default Domain Policy does not have No Override
set. At this point you should find that all policy settings go away. If
they don't, take a gpresult /z (windows xp) or a gpresult /v (windows 2000)
and try to figure out where the clients think policy settings are coming
from ... it may be the local policy (start -> run -> gpedit.msc).
I'm in two minds as far as my guess at what's going on. Firstly, it might
be the case that the clients aren't actually logging into the domain as such
and are using cached credentials and cached policies and not paying any real
attention to the domain. Secondly, it might be that the policy structure in
AD/SYSVOL is messed up and that's why it doesn't seem to make sense. You
could also run gpotool /verbose to see whether the view of policy is
consistent across all DC's - if they aren't, it might be a replication
How many users/clients are you dealing with? If it's a low number, is it
worth considering a ground up rebuild of the domain? It sounds like a
reasonably well crafted mess (completely understand you inherited said
-- Mark Renoden [MSFT] Windows Platform Support Team Email: email@example.com Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group. This posting is provided "AS IS" with no warranties, and confers no rights. "msteinhoff" <firstname.lastname@example.org> wrote in message news:84CA550C-F0A3-4D43-9AD8-D12A1C88CF7D@microsoft.com... >I have an inherited network. As I understand it, the users were moved from > one domian to the other before I started here. Since then GP has never > worked from the server level. They never bothered with it, because > whatever > policy had been pushed down to the workstations was still applied. The > server that was the PDC crashed, and was irrecoverable. I built a new > server > from scratch, and created new group policy. However the GP that I have > created will not override the GP that is currentlt on the > workstations..and I > don't know why. > > After a little experimenting, I determined that if I chenged the settings > from <not configured> to <disabled> the policy would then overwrite the > workstation. I have tried gpupdate /force but that does not work. > > So what I want to do is remove the current GP on the workstations and > apply > the new one. > > To answer your questions: > > 1. The server is offline becasue HDD crashed hard. > > 2. Yes I do have a PDC that users authenicate to. > > 3. I checked the .adm policy templates, I see the 3 standard templates and > two non standard. I looked at the non standard: > > wmplayer.adm - appears to be settings for Windows Media player. > wuau.adm - appears to be for automatic update settings. > > I also would like to note that the workstations have a category called > "Extra Registry Settings" However, I cannot find any of the applied > .adm's > that have that as a category. > > Thanks, > > Mike Steinhoff > > "Mark Renoden [MSFT]" wrote: > >> Hi >> >> What do you mean when you say that it is offline? >> >> Do you have an active Domain Controller against which clients >> authenticate? >> >> Did you use standard .adm policy templates or did you create your own? >> >> Kind regards >> -- >> Mark Renoden [MSFT] >> Windows Platform Support Team >> Email: email@example.com >> >> Please note you'll need to strip ".online" from my email address to email >> me; I'll post a response back to the group. >> >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> "msteinhoff" <firstname.lastname@example.org> wrote in message >> news:51E6DD6A-4664-4379-BE11-D0FE568815FA@microsoft.com... >> >I have a problem where an old GP(that is now offline), has settings on >> >my >> > workstations. I need to clear the all the Workstation's GP's and start >> > from >> > scratch. >> > >> > I am not sure of a good method in which to do this, so I was going to >> > remove >> > the workstation form the domain, apply the compatws security template, >> > and >> > then add the workstation back to the domain. >> > >> > If this method will work, or there is another way to do this I would >> > appreciate any input. >> >> >>