How to remove Extra Registry Settings from Default Domain Policy?

Question

For some reason, Windows Firewall was disabled on an AD domain of my client. The RSoP report shows the setting is originated from the Extra Registry Settings on Default Domain Policy.

If this was on any other GPO I could have just removed it, but it's the Default Domain Policy. On the Domain Controller there's no such ADM/ADMX template set up that controls these registry keys, so I can't edit them using the Group Policy Management Editor. (Probably some admin at some point had one on an external computer having the Remote Server Administration Tools installed.)

What would be the correct way to delete these settings? Should I find and install the correct ADM(X) template or is there any shortcut? (All the settings I actually need can be found under Network\Network Connections\Windows Firewall\ already, but this keeps Windows Firewall disabled for public and home networks.)

Answer 1

For this problem regarding Windows Firewall settings...

It turned out that settings made in Windows Settings were messing with the ADM(X) templates.

Computer Configuration
  |+ Policies 
     |+ Windows Settings 
        |+ Security Settings
           |+ Windows Firewall with Advanced Security - LDAP://...

Here, configuring Windows Firewall Properties for Private and Public Profile to Not configured removed everything else but Software\Policies\Microsoft\WindowsFirewall\PolicyVersion from the Extra Registry Settings. (Now, it's of course possible to set them as wanted from here, too.)

This is good, as I checked the windowsfirewall.admx in all Administrative Templates through Windows Vista, Windows 7 and Windows 10; there weren't any settings for the Private and Public profile: just for the Domain Profile and Standard Profile. If I didn't find this solution, it would have required using the methods explained below.

---

Removing Extra Registry Settings from Default Domain Policy in general

Easiest way to solve this would be to remove the GPO involved and re-create it with only the necessary settings. For Default Domain Policy this needs some extra steps:

1. Print out / Save report of all your Default Domain Policy GPO settings.

2. Recreate the default Group Policy Object using Dcgpofix (for the domain only, not for DC):

   DCGPOFix /ignoreschema /target:Domain
   

3. Edit your policy manually to contain all the settings in the report.

Other way is to manually create a new Administrative Template containing settings for these registry keys; .admx files are XML and easy to edit with a text editor.

In this case for Windows Firewall it would have been possible to edit the windowsfirewall.admx:

1. Create two new categories. (I hard-coded the displayNames to avoid modifying any .admls.)

   

2. Copy all (or just the required) child policy objects of WF_Profile_Standard.

3. Replace contents as required: Standard with Public / Private:

   • <parentCategory ref="WF_Profile_Public" />
   • key="SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\...
   • No need to replace any displayNames, explainTexts or presentations as they are already the same for both of the existing categories.

I'd recommend using this new template only temporarily & from a client computer having the Remote Server Administration Tools installed, instead using it directly on a DC. This way, it wouldn't cause the very problems you are trying to solve with it!

Answer 2

What would be the correct way to delete these settings?

Install or just use the correct ADM(X) template(s) there or on another machine in this Domain. As the Screenshot indicates, this is Windows (Server) 2008, which is not able to edit registry settings like group policy preferences.