I think you guys are talking about the same thing. The policy value either exists or it doesn't. If it's there via a GPO, then the application uses it. If not, it reverts to whatever is set in the corresponding preference area. So technically it doesn't re-enable or restore anything; it just appears that way by the presence/removal of the policy key. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Friday, January 04, 2008 2:52 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Disadvantages of Tattooing. Alan- Good points. However, I am not clear on one thing that you say below, "removing these Policy keys will reenable what the user had in the non-policy key". This implies that previous key values are somehow cached which I have never seen. Typically if a policy key is removed, its value is simply deleted. I have never seen any restoral of a key's previous value (unless that value was to not exist!). What I have seen get restored are security settings (i.e. non-Administrative Template stuff) on the local machine when a policy no longer applies to the machine. But that's specific to security settings. Also, you're correct on the observation that making changes to policy keys outside of GP effectively kills the non-tattooing behavior of those keys. It's a subtle yet irritating behavior. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan & Margaret Sent: Friday, January 04, 2008 12:44 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Disadvantages of Tattooing. Just a couple of minor points... While Jamie is correct in that you need another policy to undo the setting, the really annoying problem is that you can never get back to what the user originally had. When the policy is first applied it destroys the original setting. The use of the POLICY keys as described by Darren's link, means that the original user settings are still maintained, so removing these Policy keys will reenable what the user had in the non-policy key. The statement in Darren's link "the first thing that Windows does is remove all registry values under our 4 magic keys" oversimplifies the process slightly. Group Policy processing only deletes the entries that were placed there via Group Policy. If you manually create an entry under these "Magic keys" by some other method, it will stay there. This can be a good thing, or a bad thing. The list of entries to be removed from the user's registry is kept in a file called ntuser.pol in the users profile. This is why (as discussed earlier in this group) you get in trouble if your default policy has a version of ntuser.pol which is not consistent with the registry in the default profile. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Saturday, 5 January 2008 1:50 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Disadvantages of Tattooing. Couldn't have said it better. You can take at look at this page on my site that I wrote a while ago, which explains the mechanics of it, if you're interested: http://www.gpoguy.com/faqs/tattoo.htm. BTW, as a humorous aside, when us GP MVPs were last up in Redmond the GP team asked us about the word "Preferences" and what they meant to us. Most of us, of course, responded that they were tattooing policy values because that's what they've been called forever. But enough folks didn't say that they decided to give the "Group Policy Preferences" name to the upcoming DesktopStandard PolicyMaker product. I thought (and still think) its confusing because Preferences == Tattooing but I guess I'm not in marketing... Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Sent: Friday, January 04, 2008 6:44 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Disadvantages of Tattooing. Well, when a preference is tattooed in the registry you can't undo it by simply unlinking the policy. You would have to enforce that setting's opposite value via another GPO. It can be quite a pain in larger, more complex environments. However, when a policy based setting does not exist, it may often times be your only option. Regards, Jamie Nelson From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nidhi Garg Sent: Friday, January 04, 2008 2:35 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Disadvantages of Tattooing. Hi, Wanted to know about disadvantages of Tattooing of registry based group polices. How can it affect the policy affect ? Thanks ________________________________ This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply). ********************************************************************** This e-mail may contain identifiable health information that is subject to protection under state and federal law. This information is intended to be for the use of the individual named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited and may be punishable by law. If you have received this electronic transmission in error, please notify us immediately by electronic mail (reply).