Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (
More info?)
"Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
news:O%23EuNHiOFHA.328@TK2MSFTNGP10.phx.gbl...
> My understanding of the design of the Group Policy infrastructure and my
> experience is that, for "true policies", if the object (i.e. user or
> computer account) gets removed from the scope of a GPO, settings made via
> GPO are removed and settings from other GPOs that are still in scope or
> local settings will apply. For some computer settings, a restart may be
> required.
Some parts of GPO work that way, but others don't. The software Installation
part works that way and can be toggle on and off. I used that when
experimenting with XP-SP2 before full deployment so that if I had problems I
could move the machine(s) out of the OU and it would remove the SP2.
> For example:
> 1. create a GPO that enables the Windows XP SP2 Firewall and configures
the
> Domain Profile and Standard Profile to prevent local exceptions
The Firewall GPO is a "special" one because of the double profile
(Domain/Standard), but not all GPOs have those as options. I also use that
one here with our laptops so that the Firewall is off while on the Domain
and on when off the Domain. But there is nothing being "removed" or being
returned to Defaults here,..it is just responding to one of two possible
settings based on the environment at the moment.
> Here's a quote (in the section called "Windows NT 4.0 and Windows 2000
> Policy Setting Comparison" on page 84) from the Group Policy
Infrastructure
> document at
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=d26e88bc-d445-4e8f-aa4e-b9c27061f7ca&displaylang=en
>
> "The Windows NT 4.0 effect of persistent registry settings can be
> problematic when a user's group membership is changed. An advantage of
> Windows 2000Group Policy is that this does not occur. When a GPO no longer
> applies, registry settings written to the following secure registry
> locations are removed:
> ...........<snip>...................
> Although this quote specifically mentions users, it also applies to
computer
> policies whose settings are stored in the HKLM locations identified in the
> qoute (for example, the firewall settings I mentioned above). Almost all
of
> the settings supplied by Microsoft are of the "true policy" type, although
> there are some exceptions (for example, Folder Redirection - removing this
> setting does not necessarily remove the folder redirection).
Yes, but it is the ones that aren't the "true policy" type that I worry
about. I used to assume they would all "roll back" when un-applied, but
after several hours at the MVP Mini-Summit in November with an MVP more
knowledgable than I explaining that not everything will not "roll back" I
take the position that I do now. I'm a little reluctant to do another "180"
again,...I don't want tossed back and forth everytime I run across someone
with a different opinion.
But like I tried to tell Jeff, ..although I mistyped it the first
time,...I'm not trying to create somekind of "absolute laws" here,...I am
just cautioning the OP to not get overzelous with GPO. I see a lot of people
in the different groups that do just that,...treat GPO as the Universal
Monkey Wrench as I said earlier,...have it tie their shoes for them, warm
their coffey and tell them what color shirt thier worse user is wearing, and
turn their domain into such a twisted can of worms that they can never get
out of it. I think some of it is a little bit of "Admin lazyness" where no
one wants to actualy get up out of their chair and walk somewhere once in a
while.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com