Replaing "lockdown" PCs with GPO

D

David Doumani

Now that we have the AD domain up and running; we are begining the GPO phase
of the project. Prior to being a AD environment we had 200 'lockdown' pc's
that were deployed using a local policy; there is a variety of Computer and
User configurations set.

On these existing machines I figured I would just "wipe out" the local
policy and start tossing them in the new Lockdown OU with the proper linked
GPO...

So we grabbed the standard ADM file for the XP workstations; loaded the
database and did a system compare and reset the settings that didn't match
up (i.e. the ones we changed) however this only works for the computer
configurations; not the user configuations.

Anyone know how to re-set a XP machine back to "not configured" or the
ddefault setting for all of the user configuration options? I would perfer
to not have to write a VBScript for each and every available option in the
user configuration.

Thanks
David Doumani
 
D

Dave Shaw [MVP]

If you used the Security Configuration Management tool to reset the local
policy on the workstation, the only way to set it back is to explicitly
reset the settings back to what they were. You can do that by importing a
default policy back onto the machine. However, using the SCM tool to set
policy directly on the computer "tags" the registry and any changes
subsequent to that will require an explicit change to the same value.

Have you considered simply creating a policy, applying it to an OU and
placing the computer in the OU so the policy is applied?

-ds
 
D

David Doumani

That is exactly what the goal is; the GP is created; the OU is ready and the
test machines work fine but I figured it would be wise to remove all the
local policy settings before letting GP manage the machine. I know the GP
will override local settings; but all things being equal I would like to
know that the local machines policy is "default" otherwise we might always
be guessing when we have issues.

Thanks
David
 
D

David Doumani

I guess it's also worth noting that there is a group (it_staff) that has the
"deny" set for the GP so the staff isn't restricted when doing desktop
work - in the NT4 world they had to load gpedit and unlock the control panel
(for example) to get to certain settings - if I leave the local policy in
place and just overwrite it i lose the effectivness of the group set to not
apply the GP.

the SCM only reset the computer settings and not the user configuation (at
least in my testing?)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Machine vs. Domain Group Policy 11
Disable network bridge by GPO 1
Active Directory GPO - Enforcing Password Protected Screen Savers 4
New GPO are failing 4
GPO Computer Setting - Ccan they be applied to Users ? 6
gpo filtering 1
GPO doesn't apply to workstations, please help 8
lockdown GPO question 1

Top