I must take away a few outdated Group Insurance policies that utilized safety settings to our servers.
(Laptop ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Task).
I all the time thought they had been tattooed on the system, like those in Audit Coverage or Safety Choices, however seen out that this isn’t so. My take a look at server did the truth is revert to a earlier setting or default setting.
Upon investigating this, I discovered a documentation on that.
Persistence of safety settings coverage
Safety settings can persist even when a setting is not outlined within the coverage that initially utilized it.
Safety settings may persist within the following instances:
- The setting has not been beforehand outlined for the machine.
- The setting is for a registry safety object.
- The settings are for a file system safety object.
All settings utilized by native coverage or by a Group Coverage Object are saved in a neighborhood database in your laptop. Every time a safety setting is modified, the pc saves the safety setting worth to the native database, which retains a historical past of all of the settings which have been utilized to the pc. If a coverage first defines a safety setting after which not defines that setting, then the setting takes on the earlier worth within the database. If a earlier worth doesn’t exist within the database then the setting doesn’t revert to something and stays outlined as is. This habits is usually known as “tattooing”.
Registry and file safety settings will keep the values utilized by Group Coverage till that setting is about to different values.
Now, earlier than I clear up these GPOs, I must know
- which techniques have been tatooed by the out of date coverage settings, so I can manually revert the settings,
- and what was the worth that the safety setting goes to revert to, after I take away the GPO.
How can I do this?