Unable to delete objects on a machine local policy

Question

Hello,

1. Incident description: I'm contacting you about a problem when deleting a user or a group on the machine local policy "Allow remote desktop services to log on" and "Deny remote desktop services to log on". Once groups and users have been added to these settings, they can no longer be removed. Despite validating changes with the OK or Applied button, when I return to the menu, the deleted users and groups reappear (which doesn't happen when I add a group/user).
2. Background: This incident occurred on workstations belonging to a domain and running Windows 11. No GPO applies to these parameters (apart from the GPO used for the test). No error message when validating the deletion, but the modifications concerning the deletion are not taken into account.
3. Test performed on a Windows 11 - 21H2 - 22000.2538 workstation: Whether using a GPO or manually with a domain/local administrator account directly on the workstation, it doesn't work. Repair with sfc /scannow or Dism.exe /online /cleanup-image /restorehealth, either. Removal of "C:\Windows\System32\GroupPolicy" folders before redoing a gpupdate /force, no more. I'm trying to figure out how to solve this problem without formatting the workstations. Do you have any idea about the cause of the incident and how to remedy it? I remain at your disposal should you require any further information. Best regards,

Answer 1

Hello It seems like you’re experiencing a problem where changes to the local policy settings on your Windows 11 workstation are not being saved. This could be due to a number of reasons, such as a corrupted Group Policy, issues with the registry.pol file, or conflicts with third-party software. Here are some steps you can take to troubleshoot and potentially resolve the problem:

1. Reset Group Policy to Default: Resetting Group Policy to its default state can help resolve any issues caused by incorrect settings. You can do this by running the following command in an elevated command prompt: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose After running the above command, restart your computer for the changes to take effect.
2. Delete & Recreate missing registry.pol file: All Group Policy settings are stored in the registry.pol file. If this file is missing, any changes pushed to the client will not reflect at all. The good news is that you can recreate it1. Just to make sure, delete the file, even if it exists. Navigate to C:\Windows\System32\GroupPolicy\Machine\. Check if it has the registry.pol file. Delete it permanently using Shift + Delete. To recreate it, open PowerShell with admin privileges. (Win+X+A) Execute the following command to refresh Group Policy settings: gpupdate /force This will refresh Group Policy and recreate the Group Policy File. If none of these steps work, you might need to consider more drastic measures such as creating a new local user account, or as a last resort, reinstalling Windows.

Answer 2

I did the 2 previous steps, without success Then, I launched the "local Group Policy Editor" and :

1. right-click > properties on "Local computer strategy/policy" and check the option "disable computer configuration settings".
2. Delete the problematic objects from my local strategy.
3. (test) close and reopen the menu, check that the strategies have been modified correctly.
4. re-enable the option in the "local computer strategy" properties. Hopefully this will help someone else.