Tag Archives: GPO

Removing Orphaned GPO Settings Listed as Extra Registry Settings

Our domain has gone through multiple upgrades over the years from Server 2003 to the current Server 2019 domain controllers with a mix of 2012 and 2019 member servers. Each time there is a group policy admin template update I download it and copy it over to the central store. Today I went to edit a GPO object and noticed when checking the settings being applied under the “settings” tab there was a “Extra Registry Settings” section for a old version of Office under the administrative templates section:

After some research a couple things said to download the old templates, install them, remove the settings, then remove the templates. But that got me thinking on how old some of the templates probably are at this point and how I probably also had a bunch of no longer needed settings in GPO.

So I decided to start “fresh”. I first reviewed Microsoft’s document on creating and managing the central store for group policy admin templates and also downloaded the latest templates which as of this post were the Windows 10 November 2021. I also grabbed the latest Microsoft Office templates and made sure to check where the OneDrive ones were located as I would need those. I installed the Windows 10 ADMX to C:\Temp\Win10 and the Office ADMX to C:\Temp\Office on my own computer.

I then made a backup of my current templates by browsing to \\domain.name\SYSVOL\domain.name\Policies and creating a directory called “Old PolicyDefinitions”. I went into the PolicyDefinitions folder, selected everything, cut it, and moved it to my old folder. I then copied all the new templates from my computer, Windows 10, Office, and OneDrive, to the now empty PolicyDefinitions folder.

Now that everything was shiny and new I went through every GPO and checked for that Extra Registry Settings section and there were a bunch. References to Office 14.0 and 15.0 that are no longer used, SkyDrive, misc Windows XP settings, depreciated settings that are just not in the latest templates, etc. Now there are two choices here. Either I had to screen shot each one of these screens, switch back to the old templates, remove things, and switch back or thankfully there is a PowerShell command you can use on the domain controller:

Remove-GPRegistryValue -Name "Default Domain Policy" -key "HKLM\Software\Policies\Microsoft\OneDrive" -ValueName KFMSilentOptOut

Name is your GPO name. Key is going to be whatever is in the extra settings list. HKLM for anything computer config related, HKCU for anything user config related. You can also delete entire keys by omitting the -ValueName part but you will have to delete subkeys first. I.e. Office\14.0\Word\Common needs to be deleted before Office\14.0\Word can be deleted. I deleted a bunch, hit F5 in Group Policy Management so the settings screen would refresh, then delete what was left.

After a hour or so I had all my GPOs cleaned up with all the obsolete junk removed and also went through a bunch of settings that don’t need applied any more. Between the two I probably removed 100 entries which should speed up group policy processing if even slightly.

Disabling Dropbox from Installing or Running if Installed

Recently I was on a quest to disable the Dropbox program from running on company owned (domain joined) machines. There were lots of hacks to make it work but finally I found a solution, although it was worded relatively cryptically, on Experts Exchange by a McKnife (http://tinyurl.com/gr3f9ar). Long story short you can use Software Restriction Policies (https://technet.microsoft.com/en-us/library/bb457006.aspx) to do this but his solution was more elegant as it blocked Dropbox programs based on the certificate used to sign them as opposed to the file path or things that might change often. This not only blocks the Dropbox program if it’s already installed but also prevents a user from installing it in the first place. Here is my expanded version of his instructions.

First download the Dropbox installer. Right click it and select Properties then go to Digital Signatures. Select the first one (SHA1) and click “Details”. Click “View Certificate” then the Details tab then “Copy to File…”. This lets you export out the certificate. Click Next then “Base-64 encoded X.509 (.CER)” and next again. Save the certificate as something like “Dropbox SHA1 Cert.CER”. Once that one is exported repeat the procedure for the SHA256 certificate.

Once you have both certificates open up Group Policy Management and if you already have a software restrictions policy edit it. If not I suggest you create a new one. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules. Right click and create a “New Certificate Rule”. Browse for the SHA cert and make sure the Security Level is set to Disallow. Give it a description such as “Dropbox SHA Certificate”. When you click OK, if you didn’t have any certificate rules before, it will prompt you to turn them on and display the “Enforcement Properties” page. At the bottom “Enforce certificate rules” then “OK”. Repeat for the SHA256 certificate.

Once GPO updates Dropbox will no longer start and executing the exe or installer directly will give you a nice error message:

dropboxerror

Side note: Once this policy is in place you will also not be able to uninstall Dropbox since the same certificate is being used on the uninstall. Keep that in mind…you would have to disable enforcing certificates temporarily to get it uninstalled.