Put them all together and what do you get? That's right: GroupPolicyTattooingScriptingBlabber. That's what. I don't need to explain or define Group Policy. Nor scripting. But many folks who work in the IT field don't really understand the Group Policy characteristic known as tattooing. Relax, I'm not going to explain that one either. (insert hysterical laughter here). But I will brush up against it here a bit.
Tattooing is basically where a GPO setting is applied by virtue of scope validity, but then once the target is out of scope, the setting remains. This is because the "Not Configured" option means that nothing is affecting or manipulating the setting, so if it was set by something already, it is simply ignored, so it remains.
Need a tangible example? Ok.
You create a GPO. The GPO contains a setting to change the desktop wallpaper to a photo of a gay pride parade in downtown San Francisco. You thought it would be a great idea for your redneck buddies to see that when they log in on Monday morning. Until now, you have no GPO's that apply desktop wallpaper settings, at least not linked to the OU where the redneck buddy user accounts reside (it is a user-based setting after all). So now you go ahead and link your clever little GPO to the OU where their user accounts reside and you leave to go have a few dozen beers with some friends.
Monday comes around. You completely forgot about your little prank. Jimmy Bob gets to work, takes off his camo jacket and matching camo hat, sits down and logs on. Five minutes later, Jimmy Bob is standing over your shoulder breathing heavy. You turn to inquire as to his visit and are met with a fist to your face. Not a good Monday. After stuffing tissues in your nostrils to soak up the leaking blood, you turn back to your keyboard and mouse and unlink the GPO. You assure angry Jimmy Bob all is well and he finally leaves.
Five minutes later, Jimmy Bob returns and kicks you in the nuts with his size 12 steel toe Gortex camo hunting boots. He also spits a glob of baccky juice on you as you roll around in a fetal ball on the floor. Your IT co-workers wisely pay no attention. So you ask: "I unlinked it. Why is Jimmy Bob still hurting me?"
Because now that that GPO is unlinked, there is nothing to effectively "undo" or override the settings it effected. You have options:
- Make another GPO to forcefully modify that setting to something that causes you less physical harm, and leave it in effect.
- Make another GPO to forcefully modify that setting to something that causes you less physical harm, and then unlink it.
- Use a script or manually remove the Group Policy settings from the target computer (usually in the Registry)
Option 3 is the ugliest, and since your face is bleeding and your crotch is damaged, you probably don't feel like doing a lot of manual labor right now. And let's not forget that time is of the essence here? You need to placate Jimmy Bob soon or he will pay you another painful visit. Nerds are no match for angry moose-sized rednecks after all. So this leaves options 1 and 2. Which is best?
Option 2. Unless you plan on continuing to use that GPO for managing those settings going forward. This simply nudges the targets back into a newer configuration state and leaves alone, sort of like bumping a model ship in the water to change its course. This option also reduces subsequent startup/login processing overhead after the change has been implemented.
I told you there was blabbering involved.
Next up: Another spin on Scripting versus Group Policy…