Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » disable gpo
disable gpo [message #156344] Mon, 15 June 2009 15:49 Go to next message
Ondrej Sevecek  is currently offline Ondrej Sevecek  Czech Republic
Messages: 26
Registered: July 2009
Junior Member
hello,

how do I disable application of Group Policy objects on

XP
2003
Vista
2008

?

a) there is the DISABLEGPO registry key, but is it really supported?
b) the Group Policy Client Service can be disabled only manually in the
registry, is it a supported way?

thank you.

ondrej.
Re: disable gpo [message #156347 is a reply to message #156344] Mon, 15 June 2009 16:00 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Ondrej Sevecek schrieb:
> a) there is the DISABLEGPO registry key, but is it really supported?

No - there isn't anything like that.

> b) the Group Policy Client Service can be disabled only manually in the
> registry, is it a supported way?

Doesn't work. You need to take the client out of the OU that has the
policies in questions linked.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: disable gpo [message #156348 is a reply to message #156347] Mon, 15 June 2009 16:12 Go to previous messageGo to next message
Ondrej Sevecek  is currently offline Ondrej Sevecek  Czech Republic
Messages: 26
Registered: July 2009
Junior Member
http://www.pctools.com/guides/registry/detail/1161/

must be supported somehow. I need this to remove ent. CA from domain admins
responsibility scope.

I am going to ask on our private MCM group and will return back with
results.

o.



"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:OGb12Qf7JHA.1420@TK2MSFTNGP04.phx.gbl...
> Howdie!
>
> Ondrej Sevecek schrieb:
>> a) there is the DISABLEGPO registry key, but is it really supported?
>
> No - there isn't anything like that.
>
>> b) the Group Policy Client Service can be disabled only manually in the
>> registry, is it a supported way?
>
> Doesn't work. You need to take the client out of the OU that has the
> policies in questions linked.
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: disable gpo [message #156350 is a reply to message #156348] Mon, 15 June 2009 16:24 Go to previous messageGo to next message
florian  is currently offline florian  Germany
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Ondrej Sevecek schrieb:
> http://www.pctools.com/guides/registry/detail/1161/
>
> must be supported somehow. I need this to remove ent. CA from domain
> admins responsibility scope.
>
> I am going to ask on our private MCM group and will return back with
> results.
>

Production releases of Windows don't acknowledge that reg key. Why
wouldn't you just either disable the GP on the domain or move the
objects out?

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: disable gpo [message #156352 is a reply to message #156350] Mon, 15 June 2009 16:47 Go to previous messageGo to next message
Ondrej Sevecek  is currently offline Ondrej Sevecek  Czech Republic
Messages: 26
Registered: July 2009
Junior Member
I am also MVP, how do you know, that production version do not acknowledge
the reg key?
this may be something I would be interested to know

o.


"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:uFzxCef7JHA.1568@TK2MSFTNGP06.phx.gbl...
> Howdie!
>
> Ondrej Sevecek schrieb:
>> http://www.pctools.com/guides/registry/detail/1161/
>>
>> must be supported somehow. I need this to remove ent. CA from domain
>> admins responsibility scope.
>>
>> I am going to ask on our private MCM group and will return back with
>> results.
>>
>
> Production releases of Windows don't acknowledge that reg key. Why
> wouldn't you just either disable the GP on the domain or move the objects
> out?
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: disable gpo [message #156355 is a reply to message #156352] Mon, 15 June 2009 19:20 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Ondrej Sevecek" <ondrej.sevecek@community.nospam> wrote in message
news:esFh$pf7JHA.3304@TK2MSFTNGP06.phx.gbl...
>I am also MVP, how do you know, that production version do not acknowledge
>the reg key?
> this may be something I would be interested to know


Hi Ondrej,

According to the following links, they're implying that it's only for Local
GP, not domain level.
http://www.pc1news.com/enabling-disabling-local-group-policy -objects-1475.html
http://www.theeldergeek.com/enable_disable_local_group_polic y.htm

And the following link states that production releases ignore this setting:
http://www.gossamer-threads.com/lists/fulldisc/full-disclosu re/45018

Whether it works or not, I would imagine it will also circumvent domain
security policy settings. I would rather unlink or use some other strategy
to prevent a specific user or computer from applying by WMI filtering, or
permissions, etc.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Re: disable gpo [message #156365 is a reply to message #156352] Tue, 16 June 2009 02:06 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Ondrej Sevecek schrieb:
> I am also MVP, how do you know, that production version do not
> acknowledge the reg key?
> this may be something I would be interested to know

I can't recall really. I think it was one of the conf calls with the GP
where I caught that. I'll do some research on this, though. Fact is that
you can't really disable GP processing. If you're an admin there are
ways like tweaking the registry regularly to re-modify settings GP
applies - but that involves scripting and a lot of pain.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: disable gpo [message #156368 is a reply to message #156365] Tue, 16 June 2009 03:47 Go to previous messageGo to next message
Ondrej Sevecek  is currently offline Ondrej Sevecek  Czech Republic
Messages: 26
Registered: July 2009
Junior Member
cool, approved even by other sources.

no supported way to disable group policy processing.

o.


"Florian Frommherz [MVP]" <florian@frickelsoft.DELETETHIS.net> wrote in
message news:O9Sajjk7JHA.4116@TK2MSFTNGP04.phx.gbl...
> Howdie!
>
> Ondrej Sevecek schrieb:
>> I am also MVP, how do you know, that production version do not
>> acknowledge the reg key?
>> this may be something I would be interested to know
>
> I can't recall really. I think it was one of the conf calls with the GP
> where I caught that. I'll do some research on this, though. Fact is that
> you can't really disable GP processing. If you're an admin there are ways
> like tweaking the registry regularly to re-modify settings GP applies -
> but that involves scripting and a lot of pain.
>
> Cheers,
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Re: disable gpo [message #156388 is a reply to message #156368] Tue, 16 June 2009 09:42 Go to previous message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Ondrej,

"Ondrej Sevecek" wrote:
> cool, approved even by other sources.
>
> no supported way to disable group policy processing.

Yeah - that would somehow undergo the purpose of Group Policy, wouldn't it?
One could argue that local admins should be able to stop GP processing and
GPs overall -- but wild life has shown that too many users run as local
admins and the chance that some rogue local admin disables GP processing
overall, restrictions could be circumvented.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Previous Topic:SPAM
Next Topic:Re: Problem creating AD zones
Goto Forum:
  


Current Time: Fri Oct 20 02:58:38 EDT 2017

Total time taken to generate the page: 0.02791 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software