How to remove Extra Registry Settings from Default Domain Policy

group-policywindows-firewallwindows-server-2008-r2

For some reason, Windows Firewall was disabled on an AD domain of my client. The RSoP report shows the setting is originated from the Extra Registry Settings on Default Domain Policy.

If this was on any other GPO I could have just removed it, but it's the Default Domain Policy. On the Domain Controller there's no such ADM/ADMX template set up that controls these registry keys, so I can't edit them using the Group Policy Management Editor. (Probably some admin at some point had one on an external computer having the Remote Server Administration Tools installed.)

What would be the correct way to delete these settings? Should I find and install the correct ADM(X) template or is there any shortcut? (All the settings I actually need can be found under Network\Network Connections\Windows Firewall\ already, but this keeps Windows Firewall disabled for public and home networks.)

Best Answer

For this problem regarding Windows Firewall settings...

It turned out that settings made in Windows Settings were messing with the ADM(X) templates.

Computer Configuration
  |+ Policies 
     |+ Windows Settings 
        |+ Security Settings
           |+ Windows Firewall with Advanced Security - LDAP://...

Here, configuring Windows Firewall Properties for Private and Public Profile to Not configured removed everything else but Software\Policies\Microsoft\WindowsFirewall\PolicyVersion from the Extra Registry Settings. (Now, it's of course possible to set them as wanted from here, too.)

This is good, as I checked the windowsfirewall.admx in all Administrative Templates through Windows Vista, Windows 7 and Windows 10; there weren't any settings for the Private and Public profile: just for the Domain Profile and Standard Profile. If I didn't find this solution, it would have required using the methods explained below.

Removing Extra Registry Settings from Default Domain Policy in general

Easiest way to solve this would be to remove the GPO involved and re-create it with only the necessary settings. For Default Domain Policy this needs some extra steps:

Print out / Save report of all your Default Domain Policy GPO settings.
Recreate the default Group Policy Object using Dcgpofix (for the domain only, not for DC):
```
DCGPOFix /ignoreschema /target:Domain
```
Edit your policy manually to contain all the settings in the report.

Other way is to manually create a new Administrative Template containing settings for these registry keys; .admx files are XML and easy to edit with a text editor.

In this case for Windows Firewall it would have been possible to edit the windowsfirewall.admx:

Create two new categories. (I hard-coded the displayNames to avoid modifying any .admls.)
Copy all (or just the required) child policy objects of WF_Profile_Standard.
Replace contents as required: Standard with Public / Private:
- <parentCategory ref="WF_Profile_Public" />
- key="SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\...
- No need to replace any displayNames, explainTexts or presentations as they are already the same for both of the existing categories.

I'd recommend using this new template only temporarily & from a client computer having the Remote Server Administration Tools installed, instead using it directly on a DC. This way, it wouldn't cause the very problems you are trying to solve with it!

Related Solutions

Apply Registry or ADM to Group Policy for Login to Specific Servers

You're saying that you have user settings that you want to apply to users only when they logon to certain computers? Sounds difficult, eh? It's not difficult at all. It sounds like a job for loopback group policy processing!

Assume the following:

 [Domain] mydomain.com.org.net.local
  |
  |--[OU] Special Computers
  |   |
  |   |-- [Computer] COMPUTER 1
  |   |
  |   |-- [Computer] COMPUTER 2
  |   ...
  |
  |--[OU] User Accounts
      |
      |--[User] Bob
      |
      |--[User] Alice
      ...

You would like to apply a user setting (such as running a logon script, or applying other types of GPO user settings) for all users who logon to computers in the "Special Computers" OU. When they logon to computers located in other OUs, though, you do not want these special settings to apply.

Create and link a GPO to the "Special Computers" OU. Specify in that GPO all the user-related settings you want to apply.

("But wait, Evan! The user's account objects aren't in the 'Special Computers' OU!" Yes. I know that. Stay w/ me here. Most AD admins I've met don't understand loopback policy processing and get scared. I've seen horrible hacks like creating secondary user accounts for users to logon with when using "special computers", etc... >shudder<)

In the GPO you created, go into the COMPUTER "Administrative Templates", "System", "Group Policy", and locate the setting "User Group Policy loopback processing mode". Enable this setting. In the "Mode" box, choose "Replace" if you want all the user's "normal" group policy settings to be ignored and only the user policy settings in this new GPO to apply. Choose "Merge" if you want the user settings in the GPO to apply after all their normal user settings have applied.

My opinion is that this is a lot cleaner than "hacks" involving "If computer == blah" in logon scripts.

My advice to you would be to do what you're doing with a Group Policy Preference (GPP)registry settings, rather than with a logon script. It will apply one time, leaving default settings in the users' registry, but the user will be able to change the settings freely in the future without having them "smashed" each time they logon.

If these are Windows Server 2008 machines, like your tag says, then there's really no excuse not to use GPP registry settings. Have a look at the articles below for some more details. This is a really nice feature of W2K8, and something you should be taking advantage of.

http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en

http://blogs.technet.com/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx

How to erase the traces of Folder Redirection from the Default Domain Policy

In order to remove the Folder Redirection settings from a GPO properly, you need to:

As mentioned by other people here, remove the Documents and Settings folder under \\domain\sysvol\Policies\{GPO GUID}\User and the fdeploy.ini and fdeploy1.ini files contained within.

However, on its own, this will confuse the GPO Editor as it still thinks there's a Folder Redirection policy attached to the GPO. To solve this, you need to remove the association between the GPO and the Folder Redirection Group Policy Extensions (there are two, one which activates Folder Redirection editing in the GPO Editor, the other activates the actual Folder Redirection policy processing):

Open AD Users and Computers. Turn on Advanced Features (View->Advanced Features). Navigate to System->Policies->{GPO GUID}. Right click on {GPO GUID}, choose Properties. In the dialog that pops up, switch to Attribute Editor. Scroll down to gPCUserExtensionNames, and double click it.
This will pop up a dialog with a long text entry box, and a bunch of GUIDs. This attribute defines the list of GP Extensions associated with this GPO in the User context. Immediately above it you'll see the related attribute gPCMachineExtensionNames which defines the associated GP extensions in the Machine context of the GPO.
Delete the following entry from gPCUserExtensionNames : [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}]
Note that associated GP Extensions are grouped by square brackets [].
Do not touch any other entries in the attribute, or you will break other functionality in the GPO.
Click OK, and you're done.
If you're interested in what GP Extension is associated with each GUID, simply use regedit to search the registry for that GUID - e.g. try searching for 25537BA6-77A8 or 88E729D6-BDC1.