I'm trying to do a good ol' fashioned Group Policy Object clean-up job on our domain controller that was upgraded from Windows 2000 (Small Business I think) to Windows Server 2008R2.
In my company's domain we have a Default Domain Controllers Policy that has been linked to the entire domain. This GPO contains mostly Local Policies/User Rights Assignmentpolicies that I want to set as closely to the defaults as possible.
What happens to the workstations/servers User Rights Assignments when I unlink the GPO from the entire domain and let it only apply to the Domain Controllers OU?
Do the workstations revert to their default behaviour or do I need to make a GPO to assign the workstations/servers their defaults?
Bonus Question: Is there a definitive resource, rule or list of Group Policy settings that will effectively reset to whatever the Undefined behaviour is on the computer or is that something where every setting is unique and must be researched on an individual basis?
Answer
Based on my experience of removing items from AD, group policy continues to apply and settings do not revert. Since there was an policy disabling the local administrator account in group policy, this caused no end of vexation at $former_employer.
I cannot, of course, speak to every item you might have defined via group policy. You might want to apply/unapply to a test item and see what happens.
Bonus question: Not official, but see here.
No comments:
Post a Comment