6

Is there a comprehensive collection or perhaps even a 'quick guide' to which GPO settings (or registry keys) are protected from GPO 'tattooing'? I have a few clients who have horrendous GPO policies (not well named, some are added to default domain, etc) and in trying to clean things up, I want to ensure I don't break anything inadvertently.

Thanks!

Mike66350216
  • 277
  • 1
  • 5
  • 12

1 Answers1

5

The Group Policy editor will only show settings that do not "tattoo", by default (that is, entries that are made in either HKLM\Software\Policies, HKLM\Software\Microsoft\Windows\CurrentVersion\Policies, or the HKCU versions of the same). You have to alter the filter to display settings that are not "Managed" to see entries that are made outside those portions of the registry.

Settings made within those keys are removed when the policy no longer applies. Settings outside those keys will "tattoo" the registry.

StackzOfZtuff
  • 1,842
  • 13
  • 21
Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Evan - Maybe you can clarify something for me. I read somewhere (although I can't find the article anymore) that the Policies keys in the registry were "emptied" and "rebuilt" on every group policy application and refresh. This make sense to me as the performance impact of comparing every value upon a policy application/refresh in order to update, add or remove values would probably be horrendous. Can you confirm or deny that this is the behavior? Thanks. – joeqwerty Jan 09 '14 at 18:43
  • Can you clarify. If the setting is removed, does it restore it back to default setting or is the policy simply not enforced any longer. – Mike66350216 Jan 09 '14 at 19:03
  • No, policies are not compared one by one or refreshed (reapplied) – Adil Hindistan Jan 12 '14 at 22:16