Occasionally you may need to remove some of the security settings applied to a GPO directly.
In this case, navigate to the policy folder in SYSVOL.
Then, inside the policy folder, choose Machine - Microsoft - Windows NT - Secedit and open up the GptTmpl.inf file.
So, for example, to remove all settings associated with services, delete the lines from [Service General Setting] to the end of the last service line.
Saving this file and then opening GPMC (ensuring that the GPMC console is pointing at the same DC that you made the edit on), you'll see that all system service settings have been removed.
When is this useful? Well, if you mess around with the service security settings and decide that you no longer want to touch security of the services through the GPO, it is pretty much impossible to reset to the default permissions without actually explicitly setting the default permissions on the service, at which point you're still controlling access permissions within the GPO.
Friday 22 October 2010
Monday 4 October 2010
Group Policy Preferences - Registry Items
Specifically focusing on the type of Action that can be selected, and the difference between Update and Replace. Microsoft has the following references to this topic. However, to make it clear the following tests several scenarios under a Replace action compared to an Update action:
Scenario: New registry item defined for HKLM\Software\Newkey. DWORD registry item defined here called NewItem1, with a value of 1.
The Newkey folder does not exist to begin with.
Test | Update | Replace |
NewItem1 = 1 defined in GPO. | Registry key and value created in registry | Registry key and value created in registry |
Manually add new items into registry under Newkey. | After GPO refresh they remain. | After GPO refresh they remain. |
Update GPO so that NewItem1 = 2 | Registry updated as well. | Registry updated as well. |
Delete NewItem1 from registry. | GPO puts it back. | GPO puts it back. |
Manually change NewItem1 = 5 in registry. | GPO changes it back to 2. | GPO changes it back to 2. |
Rename NewItem1 to NewItem2 in registry. | GPO creates NewItem1 again, leaving NewItem2 in place. | GPO creates NewItem1 again, leaving NewItem2 in place. |
Rename NewItem1 to NewItem5 in GPO. | New item created in registry so that both NewItem1 and NewItem5 are present. | NewItem1 is renamed to NewItem5 in the registry as well. |
Delete NewItem1 registry item from the GPO. | Remains in registry. | Deleted from registry. |
Subscribe to:
Posts (Atom)