GPO Tattooing? OLD GPOS still applying to the local workstations

By Prophecy
in Microsoft (Windows)

 Share

Recommended Posts

Mentor

Prophecy

Posted
Posted

Scenario:

NEW DC with Server 2003 replaces OLD server 2000

The workstations have been removed and added to the new domain however some of the OLD GPO settings are still set in the workstations. We have of course applied gpupdate /force on all the workstations and rebooted numerous times. However when we log in to the machine I am seeing the settings in the local workstation GPEDIT.MSC are the same in the local security policy even after being added to the new DC.

Any ideas how I can flush this old stuff from the workstations? Ive been reading on tattooing and ADMs and this is kinda a new problem.

This problem has stemed from the users home directories not syncing correctly. In fact only one user can sync their home directory when they log off.

Any ideas?

Thanks

Mentor

petroid

Posted
Posted

As far as I remember, new policies will overwrite old ones only if they are configured. Any individual settings set to "not configured" will not be defaulted, so if they were set previously they will remain. You can delete the user profile on the local machines so that new user policies will be downloaded on next login. Workstation policies are a bit different, you may have to manually go through the policies and change "not configured" ones to the setting that is applicable to what you're trying to do.

Of course, I am pretty tired right now, so that information could be a red herring :p

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

that is true if you have not made a change to the new policy that will over write the old, the old will stay. dc policy is above local policy, so anything that the dc pushes out will over write anything in the local policy.

Mentor

Prophecy

Posted
  • Author
Posted

Well my DC policy is kinda loose at this point where as the local is pretty strict. I plan on locking it down more tight. Im wondering if its set to "NON CONFIGURED" on the DC and its set to configured on the local will it revert to the DC policy"

Thanks

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted (edited)

technically no, if it is not configured on the dc the local policy will take over. but I would configure it on the dc using groups so that you can have different pc's/users using different policies if that is what you need.

it is really sloppy the way you are doing it. one pc may have a policy that the other doesn't, you don't have a way to tell what policy is on what pc easily, you have no way of undoing the policy based on logon, etc.

when doing gpos on a domain try to have one policy do one thing. for instance one policy to lock the taskbar and another to set classic start menu. doing it granular like this allows you to know easily what each policy is doing at a glance and to be able to add the groups that need to have this policy applied.

Edited by sc302
Rising Star

Aldur82

Posted
Posted

The DC policy will only overwrite a local policy if it has a setting other than 'Not Configured', otherwise there would be no point in having anything but a DC policy without worrying about the application sequence regarding policies.

What you might want to do is check the Resultant Set of Policy.

I also did a quick search online and found someone suggesting the following steps on techrepublic

Create a test gpo and link it to an existing OU for testing purposes(idealy affecting the problem workstation(s)). Put the changes you want in this test gpo. Now enable, enforce, link the gpo and check off block inheritance.

Next go to users and computers (on the server) and make a user(with the problem WS) in the above test OU a member of Administrators.

Run gpudate /force on server.

Go to the users' workstation(as above) and run gpupdate /force or reboot.

Vuala, you should see the changes.

Let us know how it worked out.

P.S. Once the gpo issue is resolved, remove the user from being member of Admin grp

Mentor

Prophecy

Posted
  • Author
Posted
technically no, if it is not configured on the dc the local policy will take over. but I would configure it on the dc using groups so that you can have different pc's/users using different policies if that is what you need.

it is really sloppy the way you are doing it. one pc may have a policy that the other doesn't, you don't have a way to tell what policy is on what pc easily, you have no way of undoing the policy based on logon, etc.

when doing gpos on a domain try to have one policy do one thing. for instance one policy to lock the taskbar and another to set classic start menu. doing it granular like this allows you to know easily what each policy is doing at a glance and to be able to add the groups that need to have this policy applied.

I have numerous polcies, I dont ever stick with just one policy. Ive written numerous policies for numerous tasks. The policies I am writting work on a Computer configuration rather than a user configuration. I will work on enforcing the new policies I have in place to re-write the old. It could be the previous policies were written on a user logon level rather that a computer level and we may have some issues there. I just need to look at it. Unfortunetly there is no way to see the old GPO written by the previous staff as the OLD DC has been removed.

I appreciate that help.

Thanks

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Some policies are user only, some are computer only. I have been using groups to assign policies to computers or users, depending on what is needed, you can put computers in global and/or security groups as well as users. you can assign groups to group policies to help make life a little easier. you can't have folder redirection applied to computers, it is not a computer policy it is a user policy; you can't have windows update as a user policy as it is a computer policy. Everything in the User section gets applied to users, everything in the computer section gets applied to computers. I hope that makes sense. Quite possibly why your policies aren't getting assigned properly.

Mentor

Prophecy

Posted
  • Author
Posted

I know GP and I appreciate the resources. The local workstations are not accepting the new GP's over their old. Its referred to Tattoing. So I am troubleshooting why the old group policy is still tattooing or lingering around on the machines after they have been added to the new domain and forced to do group policy updates. Usually this doesnt happen so Im wondering whats lingering. I have a check list of things to look over to see why its not propagating over the network.

Thanks

Proph

Mentor

Prophecy

Posted
  • Author
Posted
What's the RSOP say? Have you checked in the event viewer for any errors relating to GP?

Well RSOP indicates all of my GPOS that I have written are being applied. However I am not seeing all the changes. I am still working on it. I need to to see if there is a GPO which affects Home Directory Syncing.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

the only option that I can recall that would have anything to do with any type of syncing would be offline folders. and that has nothing to do with one particular mapped drive or another. also just to note, pst files do not get synced, so if your pst file is stored on your "home drive" then it will not work.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Display Driver Uninstaller (DDU) 18.1.5.5

      By Copernic · Posted

      Display Driver Uninstaller (DDU) 18.1.5.5 by Razvan Serea Display Driver Uninstaller (DDU) is a utility for completely removing AMD/NVIDIA/INTEL graphics drivers and related packages from your system, attempting to eliminate all leftovers (including registry entries, folders and files, driver store). Though AMD/NVIDIA/INTEL drivers can usually be removed via the Windows Control Panel, this uninstaller tool was created for situations where standard uninstall fails, or when you need to fully remove NVIDIA or ATI graphics card drivers. After using this driver cleaner, your system will behave as though it’s the first time you’re installing a new driver—similar to a fresh Windows installation. As with all such tools, we recommend creating a restore point beforehand, allowing you to undo changes if issues arise. If you're having trouble installing an older or newer driver, try it—there are reports that it resolves such problems. Recommended usage: The tool can be used in Normal mode but for absolute stability when using DDU, Safemode is always the best. Make a backup or a system restore (but it should normally be pretty safe). It is best to exclude the DDU folder completely from any security software to avoid issues. You do NOT need to uninstall the driver prior using DDU. Requirements: .NET Framework 4.8 Compatible with Windows 7, 8, 8.1, 10, and 11 (32-bit or 64-bit) Note: Using on Insider Preview builds is at your own risk. Display Driver Uninstaller (DDU) 18.1.5.5 changelog: Added 'Reset to recommended' button for the Options. General fixes and improvements. Download: Display Driver Uninstaller (DDU) 18.1.5.5 | 1.7 MB (Freeware) Download: DDU Portable | 1.2 MB Links: Display Driver Uninstaller Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • WACUP 1.99.51.24568 Preview

      By Copernic · Posted

      WACUP 1.99.51.24568 Preview by Razvan Serea WACUP (WinAmp Community Update Project) is a modern, enhanced version of the classic Winamp music player, designed for better stability, performance, and compatibility. Built for Windows, WACUP retains the familiar Winamp interface while adding 64-bit support, bug fixes, and new features like improved audio format support, customizable skins, and optimized playlist management. Unlike bloated alternatives, WACUP focuses on lightweight performance and regular updates, making it the best choice for fans of the classic Winamp experience. Basically, if you miss the good old days of Winamp and want a modern upgrade that doesn’t mess things up, WACUP is for you! WACUP key features: Classic Winamp Feel – Keeps the familiar interface and functionality. Bug Fixes & Stability – Fixes old Winamp issues and improves performance. 64-Bit Support – Works better on modern systems. More Formats & Plugins – Supports additional audio formats and third-party plugins. Customizable UI – Skins and tweaks for a personalized look. Better Library Management – Improved playlists, media organization, and search. No Bloat – Focuses on performance without unnecessary extras. Regular Updates – Community-driven development with new features and fixes. WACUP 1.99.51.24568 Preview changelog: Fixed a deadlock seen from the recent crash reports when doing some of the drag + drop actions within the media library window Fixed a loading crash seen related to a problem with some of the artwork cache image files being restored which should now be better handled allowing for the bad image to be removed without it failing Fixed a deadlock seen from the recent crash reports when the internal metadata cache clearing is triggered which could block the main ui thread for too long with this now being moved to a background thread Fixed some performance issues with some of the methods related to determining artwork support which mainly affected the local library import / refresh (this is still slower for some compared to other players because there's more data & artwork aspects being checked for which means doing more processing on a single file despite the best of attempts to reduce duplicate / heavy processing where possible) Fixed a crash with the JTFE based missing files hotkey which no one seems to have used for an age for this to appear (maybe it's time to seriously consider stripping out features that aren't being used) Fixed how some of the file types which use extra information to reference their sub-songs is handled which was preventing some from being correctly resolved back to their base file (noticed fixing above) Fixed an issue with the handling of files with underscores in their filepath which wasn't being correctly handled causing some of the filename to be lost when shown as the title if title reading is delayed Fixed a few things that might be behind NotSoDirect not being stable for some setups though am still not certain that the changes done for this are going to fully resolve the problem from the crash reports Fixed the OS toast handling when there's no prior shortcut in the OS start menu to now create the shortcut (needed to allow the yes/no buttons for the new build / post-release toast) to be done as a hidden one so it's less likely to cause annoyance for those not wanting to see it whilst still allowing this less than ideal OS api implementation requirement to be met to avoid toasts without the needed buttons Fixed a regression when moving from taglib1 to taglib2 which broke some of the handling in place to allow for external programs to still access files when wacup has a held open cached instance of the file Everything else Updated cppwinrt (gen_win10shell.dll) to 3.0.260520.1 (26 May 2026) Updated libcurl (libcurl.dll) to 8.2.1 (24 Jun 2026) Updated Monkey's Audio (in_ape.dll) to 13.15 (28 Jun 2026) Updated mpg123 (mpg123.dll) to 1.33.6 (6 Jun 2026) Updated OpenSSL (libcurl.dll) to 3.5.7 (9 Jun 2026) Updated pugixml to 1.16 (16 Jun 2026) Updated taglib (tag2.dll) to 2.3.0 (11 May 2026) Updated vgmstream (in_vgmstream.dll) to the latest Git commit from 28 Jun 2026 Download: WACUP 64-bit | 9.6 MB (Freeware) Download: WACUP 32-bit View: WACUP Website | Screenshots Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Dbrand thought they could get away with this Steam Machine case, Valve disagreed

      By Doli · Posted

      "over a thousand engineering hours" and started selling it but could not take a couple of minuets to send an AI email to ask permission. What an expensive lesson.
    • Can't access the forum on mobile

      By WITHOUT-ME · Posted

      just tested it yesterday, a simple page with autoloading ADS takes 60mb....just 1 page for 60 megabytes.   poor people with a limited internet never will visit neolose
    • Tor Browser 15.0.17

      By Copernic · Posted

      Tor Browser 15.0.17 by Razvan Serea Protect your privacy. Defend yourself against network surveillance and traffic analysis. Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody from watching your Internet connection and learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked. The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained. Tor Browser 15.0.17 changelog: All Platforms Updated Tor to 0.4.9.11 Updated NoScript to 13.6.25.1984 Build System / All Platforms Bug tor-browser-build#41821: Update gpg subkeys for boklm Bug tor-browser-build#41827: Update morgan's keychain with renewed key Download: Tor Browser (64-bit) | Tor Browser (32-bit) | 109.0 MB (Open Source) View: Tor Browser Website | Other Operating Systems Get alerted to all of our Software updates on Twitter at @NeowinSoftware

  • Recent Achievements

    • Week One Done
      Collagen Project earned a badge
      Week One Done
    • Reacting Well
      Wakeen1966 earned a badge
      Reacting Well
    • Rookie
      Almohandis went up a rank
      Rookie
    • Apprentice
      jahara21 went up a rank
      Apprentice
    • Reacting Well
      NovaEdgeX earned a badge
      Reacting Well

  • Popular Contributors

    1. 1
      +primortal
      526
    2. 2
      +Edouard
      265
    3. 3
      PsYcHoKiLLa
      146
    4. 4
      Steven P.
      99
    5. 5
      macoman
      55
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!