Yes and quickly the way this works is, when a client processes registry policy, it takes all the registry policy from all the GPOs and merges it into an "archive" file. It applies all those items in the archive file to the registry--both tattooing "preferences" and true "policies" (as defined by the 4 keys Laura listed). Then, the next time the client processes registry policy, it reads that archive file before it does anything, and removes those policies found in it (but not the preferences). Then it builds a new archive file composed of any policies that now apply, then it applies those as before. I also have a reasonably in-depth discussion of this here: www.gpoguy.com/faqs/tattoo.htm Darren
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, November 16, 2006 5:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Thanks, Laura. I rarely deal with the out of the box GPO stuff and focus on writing my own ADM files. I guess a different set of rules applies there [tattooing] as you suggest. neil _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 16 November 2006 13:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Darren is correct. A quick and simple test- create the following policy and link it to an OU where you've placed a test user account: 1. User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Documents menu from Start menu- set to enabled 2. Run gpupdate if you're logged on with the test account (this assumes the test account has the appropriate permissions to create the GPO), or log off and log on as your test user. 3. Click on Start button and note disappearance of Documents menu. 4. Edit policy and change setting to "Not configured". 5. Repeat step 2. 6. Repeat step 3 and note reappearance of Documents menu. Having said all of the above, any settings that don't write to one of the following locations *will* tattoo the registry: HKEY_LOCAL_MACHINE \SOFTWARE\policies HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies HKEY_CURRENT_USER \SOFTWARE\policies HKEY_ CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion\policies A very good tutorial can be found here: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ management/gp/admtgp.mspx Laura _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, November 16, 2006 4:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest I thought 'Not Defined' meant 'ignore this setting and apply it as set elsewhere in other GPOs'. i.e. if it were set and then later set to not defined, the clients would continue to use the setting and ignore the change from enabled to 'not defined'. e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I always believed clients would ignore any 'not defined' settings and thus continue to use wallpaper A. Am I wrong? neil _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 November 2006 18:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest If I set an Admin template policy from "Enabled" to "Not Configured", then that GPO with "Not Configured" needs to be processed at least once by the target in order to remove the setting. So, even though GPMC might report "No Settings" (and frankly I haven't look at how it reports other areas besides Admin. templates. For example, you can "remove" a software installation package but it is left in the GPO so that clients can process the removal. Does that mean that the GPO has "no settings"?) you might still want that GPO around to be able to undo the client--if only for a limited period of time. Darren _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, November 15, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest >>>if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied IMHO, no settings means all settings in the GPO are set to "Not Defined". Wouldn't it, for the case you mention, need to have reverse settings or original settings and thus have settings? jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address> _____ From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 2006-11-15 17:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Well, it depends upon the purpose of you quest, but you're correct. For example, you may not want to delete a GPO that has no settings (but does have versionNumber >0) because that may be a desirable state for it. In other words, if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied. Unless you know for sure that those settings have been undone, then you can't be sure the GPO is unused. _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 7:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Thanks Darren - that assumes the GPO is empty and always was empty, of course :) neil _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 November 2006 15:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Another option is to perform an LDAP search on the cn=policies, cn=system container for GPC objects, and on each GPC object, look for a versionNumber attribute == 0. Its probably slightly faster than first generating the HTML report and then parsing it. _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Thanks horhay :-^ I'd found the GPMC script but your extra logic is very useful :) neil _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 15 November 2006 12:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs. aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address> _____ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-11-15 11:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Locating empty GPOs in a domain / forest Does anyone have a script or know of a process which can be used to locate empty GPOs? i.e. GPOs which have no settings enabled or set. The customer has hundreds of GPOs so viewing them one by one using GPMC is not a viable option :/ Many thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.