Deleted the GPO but it still applies!

[mlayte]

After deleting the GPO it still applies the restrictions, even to admins and on the server itself! The only way I can get around this is to logon with the "administrator" account. Please help, thanks

Mark

[PreviousPoster]

I'm presuming that the group policy settings have been refreshed, and restart/logoff depending on node settings has been performed?

Have you performed RSOP to determine if the group policy object settings are still being applied by your deleted group policy object or that a second group policy object is now the winning group policy object and is appling the exact/similar settings.

What troubleshooting steps have you performed?

[mlayte]

I did run gpupdate at the command prompt and restarted the server. I will have to look into RSOP. The only GPO's left are the default domain and controller policy which have not been changed. I can't understand after deleting the policy that the desktop lockdowns are still in effect even for the admin accounts and logging on at the server!!!! Thanks for your quick response.

Mark

[JerryC]

Security settings are not like Administrative Template "registry-based" settings. Whenever you apply security settings with a domain-side GPO, you have to use that same or a different GPO to reset them to something else (perhaps the original defaults?) using as domain-side GPO or they remain effective on the targeted devices. Once you have reset them on all targeted device, "then" you may remove the GPO.

[mlayte]

RSOP does not show any restrictions in effect. Isn't there a way to start over with nothing applied? I have deleted the GPO on the DC, (there is only 1 server) rebooted, gpupdate /force, etc. The whole deal started when the GPO was affecting admin accounts as well as the users targeted. I read Jeremy's book and performed the steps to deny gp from affecting admins but it still affected them so I deleted the GPO to start from scratch but cannot get there. I'm hoping for a way, short of blowing the domain away, of starting fresh with GP. Thanks

[JerryC]

Are you asking whether their a way to reset with two master GPOs (DDP and DDCP) to their default values?

If so, then yes, there is. Look up information on the DCGPOFix utility. But be VERY CAREFUL and make backups of your current versions first (run nhardcopy reports as well for reference).

If not, then I would need more information on what you are trying to reset....because as I noted, if you apply a security settings (like a User Rights Assignment setting), then just removing the GPO will not reset the original values... and it wouldn't show up in an RSoP report.