GPOS and removing stale settings via GPO

[Prophecy]

Current Situation. New DC replacing old DC which is GONE no access to it what so ever.

So users have an old GPO setting for Folder Redirection. So the paths are now different on the new server. So create a new GPO it should take presidence and life should be good right? As long as your setting is not set to "not" configured it should be fine. Well when these users log off their old GPO setting with folder redirection and File syncing is still in place. So they get an error that states path cannot be found.

Besides going to each machine what way do you guys think I can force the machines to inherit policies from the new machine and not use the old.

One other google resource stated that I should just simply create a GPO that disables folder redirection and syncing have all users update then go back after this happens and force a new GPO that enables the correct path and it should remove the old tattooing.

Second situation is this weird NumLock issue.

Some Dell machines have NUMlock Enabled in the bios but when they get to windows no numlock when they go to log in. After they log in I have created a script that enables numlock but it doesnt apply till after they login. Since they use strong alpha numeric passwords they want the NUMlock enabled before they login.

Any ideas?

[_BeanZ_]

Num Lock can be enabled pre-logon by modifying the following registry key:

HKEY_USERS\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators - 0 = off, 2 = on

http://technet.microsoft.com/en-us/library/cc978657.aspx

[sc302 Veteran]

you are going to have to play with gpupdate on the pc's and use your rsop to be able to verify gpo changes.

to use gpupdate:

start

run

cmd

gpupdate

to force gpupdate:

start

run

cmd

gpupdate /force

to use rsop:

start

run

mmc

file

add/remove snap ins

add

resultant set of policy

right click resultant set of policy

generate rsop data

[Prophecy]

you are going to have to play with gpupdate on the pc's and use your rsop to be able to verify gpo changes.

to use gpupdate:

start

run

cmd

gpupdate

to force gpupdate:

start

run

cmd

gpupdate /force

to use rsop:

start

run

mmc

file

add/remove snap ins

add

resultant set of policy

right click resultant set of policy

generate rsop data

come on SC302 I got all these commands bud.. This is actually a known issue with folder redirect. The old ones stay stale. Im trying to find a way to remove it. The whole tattooing issue..

I ll see if I can come up with a work around.

[sc302 Veteran]

do the new gpo's work on new computers? I apologize for that not being helpful, but if you are applying a new gpo it should show up in there. Esp if you are micromanaging your gpo's and not using 1 or 2 gpo's for everything (like putting everything in your default domain gpo).

My gpo structure is broken down like this:

default domain controller gpo

disable microsoft firewall gpo

redirect users folder gpo

push adobe acrobat gpo

push antivirus gpo

lock taskbar gpo

user logon script gpo

enable logoff in start menu gpo

You get the idea with that. I don't use 1 gpo to do all of that, it is broken up. If I make a change to the folder redirect I can delete the gpo, and create a new one and verify that the pc's then take the new one. I do not have the issue you do with this.

Edit: Also remember gpo's get applied top down when using in conjunction with ou's.

Edited August 6, 2009 by sc302

[Joel]

Current Situation. New DC replacing old DC which is GONE no access to it what so ever.

Why not? And then why not just name the new one the same name as the old?

[Prophecy]

Why not? And then why not just name the new one the same name as the old?

Joel, Lots of Red tape. We had no access to the old dc. It was removed when we walked in and due to the other company managing the previous DC they wouldnt allow us to access it.. Bunch of BS.

SC302

Im with you, I always split up the GPO's, I usually have at least 10 on each server. Its just where the machines have some retained info in the reg poiting to an old method. The whole "tattooing" is what I keep coming across in Google.

[sc302 Veteran]

you can try this on the individual pc's giving you issues:

http://escapelogic.com/main/node/2

Good luck.

[Joel]

The recent trouble I just had with folder redirection is that the machines want the old folder as a reference point to move FROM. You could always push the registry entries back to the defaults.

Back to my original question; why not just name the new machine and domain the same as the old? You don't need the old server to accomplish that. I can think of a host of GUID issues you may get, but it doesn't hurt to try as a step of solving your redirection problem.

[1337ish]

Wont the old ones be removed if you just goto the machine, make a local admin, remove its connection to AD by switching it to workgroup mode. Then just rejoin the new domain?

[sc302 Veteran]

Wont the old ones be removed if you just goto the machine, make a local admin, remove its connection to AD by switching it to workgroup mode. Then just rejoin the new domain?

that is a lot of work (in comparison to other methods), and really not the best way to go around it. You are better off deleting the pointers in the registry.

HKLM->Software->Policies

HKLM->Software->Microsoft->Windows->CurrentVersion->Policies

HKCU->Software->Polcies

HKCU->Software->Microsoft->Windows->CurrentVersion->Policies

and if any exist delete the policies in here

%windir%\System32\GroupPolicy