question

onetech-it avatar image
0 Votes"
onetech-it asked sikumars commented

Question about workstation legacy GPOs when disconnecting from Windows AD domain and joining Azure AD?

We have a number of Windows 10 workstations currently joined to a legacy Windows 2016 Active Directory domain, that we are about to retire and move to a completely new Microsoft 365 Azure AD domain.

The legacy Windows 2016 domain pushed GPOs to the workstations, that we don't want enforced once connected to Azure AD. When the machine gets unjoined from the Windows 2016 domain, and then added to the Microsoft 365 Azure AD tenant, will all the local GPO settings on the workstations be reset back to what would be considered a 'zero state' and then only system policies that are pushed from Azure AD will be set on the Windows 10 client systems?

azure-active-directorywindows-10-networkwindows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@onetech-it ,

I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let us know. Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·
Dev073 avatar image
0 Votes"
Dev073 answered onetech-it commented

Hi,

User Policy GPO are fine, since it applies to user profiles and not computers. But however the computers policy settings might get tattooed when you disjoin machine form the domain. It wont be clean.

I would recommend you to move the workstations to Clean OU and block the inheritance. This process will clean-up the good number of GPO like template based s , but still there will be certain polices remains on the machine. like sec options.

This will be a close easy option to clean-up, else reimage is the best way to clean.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OK,, just so I think I've got this covered, what you're recommending is:

  1. Create a new OU in the domain, and block all GPO inheritances on it.

  2. Move my affected workstations into that OU.

  3. Run a gpupdate /force from the workstation to have the new OU 'clean' the local machine's previous Group Policies.

With regards to the security options, where would I look on the local workstation to see what non-standard sec options might have been issued to it by the domain?

You are correct that I'm desperately trying to not have to reimage these machines, in order to clean up their local Group Policy settings before moving them over to this new, but not Windows AD sync'd, Microsoft 365 tenant.

0 Votes 0 ·

Yes the understanding is right. follow that 3 steps.

rsop.msc Once the console opens you will be able to see which settings have been applied to your PC.
also from command line gpresult /Scope Computer /v

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello Onetech-it

In order to ensure that all policies have been removed you can always run the next actions on computers that still remain with some policies: (after the domain disjoin"

gpupdate /target:computer /force /boot

Delete GPO Cache "%ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History*.*
Delete HKLM\SOFTWARE\Policies
Delete HKLM\SOFTWARE\Policies\Microsoft\Windows\System!UserPolicyMode (defines loopback mode)
Delete C:\WINDOWS\security\Database\secedit.sdb
Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
Delete HKLM\SOFTWARE\Microsoft\Group Policy



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.