Not all policy settings are removed just because the GPO that delivered them no longer applies. This process I’ve described has some caveats. Once these steps have been done, the machine should be safe to remove from the domain. I also recommend doing a reboot of each machine and a gpupdate /force on any machine that you’ve moved, just in case.ģ. Until this happens, you can’t be sure that the machine really knows that it’s been moved. This is because the GP engine caches it’s OU location for a period of time before it realizes it’s been moved.
Once you’ve move the machine accounts into the blocked off OU, I recommend waiting a number of hours to go by before assuming all settings that will be removed, are removed. Setting Block Inheritance on an OU from within GPMCĢ. That’s an OU you’ve created that has no GPOs linked to it and has the “Block Inheritance” flag set on the OU (from GPMC) to prevent upstream GPOs from applying. Before unjoining the machines from the domain, move the machines to a “waystation” OU. Here are the steps I recommend to free your soon-to-be-unjoined machines from having policy settings stuck on them!ġ. So how do we go about preventing these non-domain machines from getting all kinds of policies stuck on them? First off, I recommend that if you plan to remove servers or workstations from an AD domain, and you don’t plan to re-image those machines, then BEFORE you remove them, to perform some operations to do your best to remove any GP settings that are applying to the computer accounts (keep in mind that per-user settings are usually not an issue when removing a machine from a domain because those user settings only apply to the domain user’s profile, not to the computer). In fact, Admin Template settings, which usually don’t tattoo a system under normal circumstances, end up getting stuck on machines once they’re removed from the domain, because the non-tattooing behavior of these settings requires normal domain GP processing to occur.
The challenge here is that, once a machine is removed from the domain, you don’t have any control over the policy settings that remain tattooed on them. The answer is to avoid the problem in the first place :).
A recent thread on Mark Minasi’s forum site reminded me of a topic that comes up every once in a while–namely, how do you cleanly remove Group Policy settings from a machine that has been removed from an AD domain.
0 kommentar(er)
