Removing old group policy information

Wed, 2008-10-08 23:49 by iantheevil · Forum/category:

I do the IT work for 3 sister companies (two of which share the building I work at, the third is at another location). Every now and then I need to recycle a PC for a new user. The problem is that Company A is on a totally separate domain and uses a different group policy than Company B, so if I move a PC from Company A to Company B the PC ends up with a mix of group policies. A good example of this is the fact that after I move a PC from one company to the other the PC now tries to redirect the My Documents folder to both company A and B, which of course fails and makes logging off take forever. I would think that when the PC updates its policy information from the new DC it would reset anything not explicity set up in the new DC or local policy.

I keep looking for some kind of command-line utility similar to gpudate that will clear group policy. Alternatively, I believe it could be possible to delete the files/registry entries that store the information, but I don't know enough to feel comfortable doing that for fear I may make things worse. It's been tough finding anything relevent to my situation and was wondering if anyone had any advice for me. Thanks in advance.

Redirect problem solved

Thu, 2008-10-09 19:15 by iantheevil

I managed to find a way to remove the old synchronization info without using group policy or registry modifications, and of course it was the simplest and most obvious option.

All I had to do was right-click on 'My Documents' and select Synchronize. Before the process completed and the dialog box disappeared (because I didn't have it pinned), I clicked on a button appropriately labeled 'Setup...' and BAM! synchronization settings dialog box popped up with all kinds of customization options including the ability to add/remove a synchronization directory. So beteween this obvious option and your link I am good to go. Still not sure why group policy didn't remove/reset the old info rather than seeming to append to it, but I'll take what I can get. Thank you again!

Thanks for the solution

Thu, 2008-10-09 20:46 by admin

You hadn't mentioned synchronization. Your original message only mentioned policies in general, and those can be quite a few different ones.

Glad you could solve it. By the way, offline file and folder synchronization policies can be found in the group policy editor gpedit.msc under user configuration, administrative templates, network, offline files. I'm not sure though whether that was the cause of your problems. There are many ways to synchronize files and folders.

You don't have mind-reading abilities?

Fri, 2008-10-10 01:23 by iantheevil

I did mention folder redirection and that logging off took a long time, but I hadn't gone into detail, which is a no-no. I apologize for the confusion. I was trying to keep it brief, but I apparently left out some useful info.

I am quite familiar with where the components are within the group policy editor, but everything looked good. The new domain's settings were not resetting the old domain's policies entirely. Basically I would expect that when moving to another domain if there was an option that was previously enabled/set through a GPO and the same option is undefined in the new domain that the current/new domain's policy would be the winning rule. I could not find a single entry that had any old sycnhronization info still in it; the only spot I found old information was in the settings for synchronization. So basically it just seemed to be contradictory between what the policy was supposed to be and what was actually happening.

Group or local policies?

Thu, 2008-10-09 06:24 by admin

As I understand it, the group policies are no longer effective when the computer is removed from the domain and the cached credentials expire. You may still have local policies though.

A good tool to check which policies actually apply is already built into Windows. Enter:

gpresult

Or, for more detailed output, enter:

gpresult /z

Yet another factor is Windows Live One Care, which does things to the policies that I don't know. You may want to uninstall it if it had been installed, to get that out of the question.

The brutal way to reset the group policies is the following command, but I can't offer any guarantees that it doesn't cause some problems. Set a restore point first, so you can go back with System Restore if needed.

Windows XP (one line):

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Windows Vista (one line):

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

Details can be found at the Microsoft Knowledge Base article: How to reset security settings back to the defaults

Thanks for the quick response

Thu, 2008-10-09 18:53 by iantheevil

My problem is with old group policies from previous domain mixing with new domain's group policies. I've used gpresult and it does not show that there is anything out of the ordinary, yet every time I log off it tries to synchronize folders with the old domain's server which it has no access to anymore. I've never had Windows Live One Care installed and I don't really use local policies but I checked just to be sure and there's nothing there. I also used the more brutal approach to no avail. It ran through the process to 100% but no change, so I guess I'll just wait to see if the policy expires... any idea how long that is?

P.S. The brutal method did clear out a few pesky policies that hadn't seemed to update either so thanks for the link. I guess I made the mistake of searching using the word 'policy', not 'security'.

Solution question?

Thu, 2010-03-25 18:48 by wmkman

I have the same situation, I believe, but I also having a question before I select the box.

My problem is with the same domain but a change in the policy for the location of the syncing files. The one server where the files WERE located is now toast and a new one created. So, a new location within the same domain was created for their home folders. If I select the box under "policy removal" which states to "Redirect the folder back to the local userprofile location when policy is removed", will that just eliminate the old location it is trying to sync and leave the new one alone?

thank you

Hope this helps

Fri, 2010-03-26 03:31 by iantheevil

I'm not quite sure if you are just trying to change the location they are redirected to or if you are just trying to remove this particular policy altogether. In the first case you could just modify the GP to point to the new location.

If that's not the case then setting the policy removal to redirect back to the local user profile should set things back to the default on Win XP/Vista, which is to keep only the local versions of the file. You would probably want to make sure that the PCs receiving the updated policy have in fact received the updated policy before removing the current policy, just to be safe. You can use the Group Policy Management console (gpmc.msc) and run the Group Policy Results wizard to determine if they indeed have the new settings.

After removing the policy you should be able to see that the previously synchronized documents no longer have the "synchronized" icon, unless you already have another redirection policy in place.

So, in short, it should only remove the incorrect redirection location and leave the other one alone. If you already have another policy pointing to another location to synchronize the files you should be fine. If for some reason the old location does not disappear from the list of servers to sync with, you could try the method I used in one of my previous posts.

Hope that helps and that I wasn't too confusing.

Re: Hope this helps

Mon, 2010-03-29 19:04 by wmkman

Thank you for the reply.

I am just trying to change the location of where their documents are being redirected but I want their current documents to follow them. I tried it out on a couple and it seemed to work. The problem then arises that the group policy is still trying to sync with the other location as well and thus creating an error. During the period where the old location was dying, log ons would take anywhere from 5-20 minutes because they were trying to find the failing drive.

What I need to do now is to have GP forget where it "use to sync" to get rid of the errors.

Thank you.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.