Group Policies Not Applied After Switching Domains

group policies not appliedRan into an issue where the group policies were not being applied to the workstations. Not the most ideal situation, but I found myself having to drop some Windows XP workstations after the domain controllers had been demoted and taken off-line. Normally, you would remove the workstations from the domain and put them into a workgroup prior to demoting the domain controllers, but I just wasn’t able to do that this time around (Long story).

This is the problem I ran into. While on the old domain, I was pushing out network settings to the workstations via group policy, such as DNS, WINS, primary suffix and suffix search order. When the workstations were hard-dropped from the old domain and put into the new domain, the old policies were apparently cached in the registry and couldn’t pick up the new group policies because DNS was pointing to domain controllers that didn’t exist anymore. So, the workstations couldn’t resolve correctly. This also prevented domain users from authenticating on the workstations. You might think setting the TCP properties would fix the problem, but that isn’t the case. Group Policy settings override the NIC properties.

There are probably other ways to do this, but I ended up writing a script which deleted the following key (and all subkeys) from the registry on each workstation: HKLM\Software\Policies. Yes, the whole thing.

group policies not applies

Once the key(s) are deleted, the TCP properties on the NIC take affect because they are no longer being overridden by the old cached group policies. To get the new policies, I ran gpupdate/force from the command prompt, and then rebooted. If you refresh the registry, you’ll see a new HKLM/Software/Policies key is created as are all the subkeys.

group policies

Once this happens, all the workstations were back on-line and operational. The users were able to log in successfully.

Leave a Comment