28,659 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Sandro D'Incà,
Thank you for posting in Q&A forum.
I'm glad I can answer this question for you and hopefully it will be helpful.
Based on the description above, because you set up User Configuration GPO. And you mentioned "basically modifying existing entries or creating new ones is working fine. but when we delete entries, these changes would not apply to some clients", do you mean these changes would not apply to the same user account on some clients? Or these changes apply to some user accounts, but do not apply to some other user accounts?
For example 1: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user1 on client 2.
For example 2: the GPO changes apply to user1 on client 1, but the GPO changes do not apply to user2 on client 2.
You can also export user configuration GPO for problematic user account and then check:
Sign in one user account on client.
Create new folder in C drive named gpofolder.
Open CMD (do not run as Administrator).
Type gpresult /h C:\gpofolder\gpo.html and click Enter.
Check the changes you made under "User Details".
If you are experiencing issues with the "site to zone assignment list" Group Policy template, specifically with deleting old entries or applying the changes incorrectly, there are a few potential solutions you can try:
1.GPO Application Delay: Sometimes, group policy changes may take time to propagate to client machines. Ensure that you have allowed sufficient time for the GPO to apply across the network.
2.Group Policy Refresh: Use the gpupdate /force command on the affected client machines to forcibly refresh group policy settings and ensure the changes are applied.
3.Clearing ZoneMap Entries: Instead of relying solely on modifying the "site to zone assignment list" template, you can consider using a startup script in a GPO to delete the unwanted entries from the ZoneMap registry key. This script can run with elevated privileges and remove the obsolete entries. You can use PowerShell or batch scripting to achieve this.
4.Group Policy Preferences: Instead of modifying the "site to zone assignment list" template directly, you can utilize Group Policy Preferences (GPP) to manage the ZoneMap registry key. GPP allows for more granular control over registry settings. You can create a new Group Policy Preference Registry Item to delete the specific entries from the ZoneMap registry key.
Here are the steps to create a Group Policy Preference Registry Item:
Open Group Policy Management Console.
Navigate to the desired GPO or create a new one.
Expand User Configuration or Computer Configuration and go to Preferences -> Windows Settings -> Registry.
Right-click and select New -> Registry Item.
Configure the Registry Item to delete the specified entries under the ZoneMap registry key. Regularly update and validate the DR plan to reflect any modifications or additions in infrastructure or critical systems.
Note: please test in lab if needed first, if everything works fine, you can set up in production environment.
Hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.