Question about workstation legacy GPOs when disconnecting from Windows AD domain and joining Azure AD?

OneTech IT 141 Reputation points
2021-10-16T15:08:58.997+00:00

We have a number of Windows 10 workstations currently joined to a legacy Windows 2016 Active Directory domain, that we are about to retire and move to a completely new Microsoft 365 Azure AD domain.

The legacy Windows 2016 domain pushed GPOs to the workstations, that we don't want enforced once connected to Azure AD. When the machine gets unjoined from the Windows 2016 domain, and then added to the Microsoft 365 Azure AD tenant, will all the local GPO settings on the workstations be reset back to what would be considered a 'zero state' and then only system policies that are pushed from Azure AD will be set on the Windows 10 client systems?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,641 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,261 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,103 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Devaraj G 2,091 Reputation points
    2021-10-17T02:40:40.723+00:00

    Hi,

    User Policy GPO are fine, since it applies to user profiles and not computers. But however the computers policy settings might get tattooed when you disjoin machine form the domain. It wont be clean.

    I would recommend you to move the workstations to Clean OU and block the inheritance. This process will clean-up the good number of GPO like template based s , but still there will be certain polices remains on the machine. like sec options.

    This will be a close easy option to clean-up, else reimage is the best way to clean.


  2. Limitless Technology 39,301 Reputation points
    2021-10-22T08:16:02.237+00:00

    Hello Onetech-it

    In order to ensure that all policies have been removed you can always run the next actions on computers that still remain with some policies: (after the domain disjoin"

    gpupdate /target:computer /force /boot

    Delete GPO Cache "%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History*.*
    Delete HKLM\SOFTWARE\Policies
    Delete HKLM\SOFTWARE\Policies\Microsoft\Windows\System!UserPolicyMode (defines loopback mode)
    Delete C:\WINDOWS\security\Database\secedit.sdb
    Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
    Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
    Delete HKLM\SOFTWARE\Microsoft\Group Policy


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments