I need to remove a couple of old Group Policies that applied security settings to our servers.
(Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment).
I always thought they were tattooed on the system, like the ones in Audit Policy or Security Options, but noticed out that this is not so. My test server did in fact revert to a previous setting or default setting.
Upon investigating this, I found a documentation on that.
Persistence of security settings policy
Security settings can persist even if a setting is no longer defined in the policy that originally applied it.
Security settings might persist in the following cases:
- The setting has not been previously defined for the device.
- The setting is for a registry security object.
- The settings are for a file system security object.
All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. This behavior is sometimes referred to as "tattooing".
Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values.
Now, before I clean up those GPOs, I need to know
- which systems have been tatooed by the obsolete policy settings, so I can manually revert the settings,
- and what was the value that the security setting is going to revert to, when I remove the GPO.
How can I do that?
0 Answers