Mark Minasi's Windows 2000/NT/XP/2003 Newsletter
Issue #32 Late March 2003 "Short Edition"

This issue: How To Reset and Un-Do Group Policies!

News

Hello all --

For years, I've said that "the two most effective Microsoft repair tools are 'reboot' and 'reinstall,'" only half in jest. But the sad truth is that far too many irritations can only be solved with a wipe-and-rebuild, or so it's seemed until recently. Granted, the widespread use of Ghost and similar products makes re-imaging/re-cloning a system pretty quick -- but I've always found it chagrining to have to abandon a system altogether just to fix a small but persistent irritation.

In the last issue, I showed how to fix two things that people have told me have driven them to reinstall frenzy -- strange behavior from IE (can't save images, can't do "view source") and from Media Player (plays videos in black-and-white only). After I put the newsletter out, however, it dawned on me that I'd come across other desktop oddities and fixes, hence this special "short" edition. In this issue, I show you how to reset local or domain-based group policies on a system; I think you'll find it useful.

ONLY TWO WEEKS LEFT! "XP Professional for Support Professionals" in Kansas City April 3/4

We've got a MUCH smaller public seminar schedule this year, so if you'd like to take the next step in becoming a complete XP guru then it's just two weeks before our next XP seminar, the last for a while. (See the entire schedule at www.minasi.com/pubsems.htm.)

This is the in-depth, XP geek course that picks up where Mastering Windows XP Professional left off. Learn how software restrictions let you control what runs and doesn't run on your desktop, including the simple way to use software restrictions to ward off e-mail viruses. Conquer the remote assistance and remote desktop features' thorny sides. Figure out how to make the apps that worked under 95, NT or 2000 work under XP. Discover all of the stuff about XP that you HAVEN'T heard about. (Then, once you've heard about that stuff, learn the Registry and Group Policy tweaks you'll need to keep it under control.) And lots more; take a peek at the course brochure at www.minasi.com/xpsupport.htm for more info. We've got a few seats left; come join us in KC!

ONLY THREE WEEKS LEFT! (For the lower price, anyway) Order "12 Tips to Secure Your Network" and "Tuning 2000, XP and 2003" Before 10 April

My two new audio CDs are coming along well and it looks like we're going to hit our target ship date of 10 April. But there's still time to pick up a CD talk before the pre-sales price goes away. $24.95 for the Tuning talk (one CD) or $49.95 for the Security talk. Info on the security talk at www.minasi.com/secaudio.htm and info on the tuning talk at www.minasi.com/tuneaudio.htm.

You Can Now Resize the Newsletter's Text

By the way, one of you e-mailed me to point out that some of you like to read the HTML version of the newsletter online and to use the ctrl-scroll or View/Text Size feature of IE to make the newsletter a bit easier on the eyes, but that my fixed text size defeats you. My apologies... starting this month, the list items and main text do not have fixed text sizes. You'd think that a guy with reading glasses like me would have known that, but it slipped my notice. Note that I haven't tinkered with the heading sizes, so making the text REALLY big makes the document look a bit strange. Easy to read, granted ... but strange!

How To Reset A System's Local Group Machine Policies to "Fresh Out Of The Box"

Group policies are the way to control a 2000, XP or 2003 system. But they have something of a black box-ish feel to them in that they're hard to troubleshoot despite the XP and 2003 "resultant set of policy" (RSOP) tools. But even then, RSOP tools are most useful in an Active Directory-based domain with centralized group policies, and not everyone has an AD.

Sometimes I want to take a system and wipe it clean of any domain or local group machine policies, to essentially reset its state to "just installed." As policies live in several places, that's not as easy as it sounds. Here's what I've found useful.

There is no one single place where policies live. When you fire up gpedit.msc or Local Security Policy (secpol.msc), then you're directly tweaking items in many parts of the Registry, as well creating or modifying data in \windows\system32\GroupPolicy. (It's a hidden directory, so set Folder Options to show hidden files and folders if you want to look in it. And if you're running Windows 2000, then the directory is \winnt\system32\GroupPolicy.)

Most of the changes to machine policies seem to live in HKEY_LOCAL_MACHINE\Security and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft, as well as a file named Registry.pol in \windows\system32\GroupPolicy\Machine. Here are the basic steps that I've found allow me to reset a system to almost new:

Reset HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft to an out-of-the-box state by restoring a copy taken from a freshly-installed system.
Delete \windows\system32\GroupPolicy\Machine\Registry.pol, if it exists.
Run the Setup Security template.

Here's more detail on the rollback steps.

Every XP, 2003 and 2000 system includes a security settings template at \windows\security\templates\setup security.inf. (Again, 2000 systems will use \winnt, not \windows.) Apply the template from the command line like so:

secedit /configure /db junk /cfg "c:\windows\security\templates\setup security.inf" /overwrite /quiet

In that command -- which should be typed as all one line -- you're telling secedit to use a template named "c:\windows\security\templates\setup security.inf" to create a security database called "junk" and to overwrite any existing security databases called "junk." We're only doing this because secedit can't directly apply a security template; it must first create the security database, and then it applies the security database.

This command make take a bit of time to run; run Task Manager and you'll see secedit.exe in the list of running processes while it's working. (Or leave off the /quiet and it'll yammer at you while it's working.)

Applying that template will reset many security settings, but not, unfortunately, all. For example, software restriction policies will not be rolled back, and IPSec filters won't be restored to their initial state just by running "setup security.inf." To roll those back, we'll restore a Registry key, HKLM\Software\Policies\Microsoft. That's the key where most of the policy information lives. The easiest way to roll back most of policies, then, is to restore this key to its pristine state. And the easiest way to do that is to grab a HKLM\Software\Policies\Microsoft key from a newly-installed system, or for that matter one that hasn't had any policy work done on it. (But before you do all this work, check your system -- if you never messed with IPSec or software restriction policies then simply applying the template might have done the "policy reset" trick for you.)

The easiest way to do that is to open up Regedit on your newly-installed system and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies, where you'll see a folder icon labeled "Microsoft." Right-click it and choose Export, then point Regedit at someplace to put the file. For my example, I'll call it policies.reg, but you can put it anywhere you like -- just remember wherever you put it. I then copy the policies.reg file to the computer that I want to reset policies on; for the sake of example, let's say that I store it in c:\oldreg.

Now, I don't want to just apply that Registry file to my system, as .reg files really only merge information into the Registry -- I want to reset that part of the Registry altogether. So before I apply policies.reg to my system's Registry, I'll first delete the current HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft key in the Registry. (As always, PLEASE be careful when messing with the Registry!) You can either do that by opening up Regedit, navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Policies, clicking on the Microsoft folder and pressing Del, or you can do it from the command line:

reg delete hklm\software\policies\microsoft /f

Now I'm ready to apply the Registry fixes either by double-clicking on policies.reg, or from the command line like so:

regedit /s c:\oldreg\policies.reg

Finally, zap \windows\system32\GroupPolicy\Machine\Registry.pol either from Explorer or from the command line. Restart and the policies are gone! Let's wrap that up into a step-by-step:

First, export the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft key from a "virgin" system; call the file policies.reg and store it on the system that you want to reset in a directory named c:\oldreg.

Second, create a batch file with the following lines in it, or just copy the lines from this document. Save the file, calling it resetpol.cmd. Store it and policies.reg on a floppy somewhere so they can be easily transported to any other system that might need its policies reset. If your system is a Windows 2000 system, then type "\winnt" where you see "\windows" below.

reg delete hklm\software\policies\microsoft /f
regedit /s c:\oldreg\policies.reg
secedit /configure /db reset /cfg "c:\windows\security\templates\setup security.inf" /overwrite /quiet
del c:\windows\system32\grouppolicy\machine\registry.pol

Finally, run resetpol.cmd. Wait for secedit to finish, then reboot.

How does this advice vary if you want to remove domain-based policies? Well, the best way to wipe out all domain-based policies is to simply unjoin the workstation from the domain. That seems to un-do most of the policies. But if you've got a system that's not connected to the domain -- perhaps a laptop -- and you just want to be free of domain policies temporarily, then follow the above advice. Of course, you've got to be a local administrator to do any of this policy un-doing.

One final note: each of those commands resets a part of policies. But they may not reset them all -- that's why I said "almost new." If you've created a custom policy that "tattoos" the Registry, then there's no way to roll back those changes unless you've documented what the policies did in the first place; then you can reset the affected Registry keys one at a time. So be careful with those Registry tattoo-ers!