How to clear or remove domain-applied group policy settings after leaving the domain
Open Regedit.
Backup your registry.
Delete the "HKLM\Software\Policies\Microsoft" Key (looks like a folder).
Delete the "HKCU\Software\Policies\Microsoft" Key
Delete the "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects" Key.
Delete the "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies" Key.
Exit the registry and restart.
Note: HKLM = HKEY_LOCAL_MACHINE & HKCU = HKEY_CURRENT_USER
Note 2: The registry is and can be a dangerous place.
Thanks for replying. To answer your question - yes it's physically removed from the domain and now joins a workgroup. I am using a local admin account to log in. And yes, domain settings still apply.
If it is physically off the domain, and you ARE using a local account to log on, and it still carries the group policy settings, not only would i be very surprised, but something is wrong.
Indeed. It's a stuck policy. Fortunately, there is a rather ingenious way to fix this problem. Unfortunately, it's not common knowledge. Hopefully this answer will get around to enough sysadmins to fix that.
By the way, this works on all versions of Windows.
This solution is dependent upon the machine-in-question being dis-joined from the domain. If it is NOT dis-joined from the domain via the OS, then this will NOT work.
-
After the machine is dis-joined from the DC (Domain Controller), login using the local (machine) administrator account.
-
Go to Start (open the Start menu) > Run (open the Run app), and type 'cmd' (without the quotes) and press Enter. [Or open the Start menu and then run the Command Prompt program.]
-
Type
gpupdate /force /boot
and press Enter. -
Once it's complete, reboot. The old group policy is gone.
Basically, how this works is it (since it gets no policy when you run the command), it applies an empty policy, which effectively removes the stuck policy once and for all.
If you run into problems, run gpresult /H GPReport.html
from a Command Prompt window. If you see the DC or evidence that it pulled a policy, separate your computer from the network that's running on the DC and plug the machine into a separate network.
No internet connection is required for this solution, but the link needs to be up, and it needs to have an IP address.
For info if you have this on a computer that has not been removed from the domain. Export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy hive then delete it. reboot and your computer pulls down the latest version of GPO.
I have had a few instances where GPO's have been updated and a gpupdate /force tells me it has applied the policies successfully but upon closer inspection some of the new settings have not been applied.
Check this through 'rsop.msc' to see all the settings applied and what GPO they came from.
Remember editing the registry can be very dangerous. Take care!