Removing Policy Tattoos
Tattoos are a significant problem with System Policy, which versions of Windows before Windows 2000 supported. Tattooing means that policies make permanent changes to the registry. The administrator must explicitly remove those policies. For example, if you create a policy file, which has the .pol extension, and Windows applies its settings to the registry, when you remove the policy file, the settings remain. To remove those policies, you must remove the settings from the registry or edit the policy file to remove the settings.
Tattoos become more problematic when you upgrade to Windows from an earlier version of Windows. It's also a problem when you deploy Windows on a network that doesn't have Active Directory but uses System Policy, and then you deploy Active Directory down the line. The upgrade process doesn't remove System Policy settings from the registry during an upgrade, so those settings remain. The shotgun approach is to remove the following keys from each computer's registry and each user's profile hive before upgrading to Windows; the surgical approach is to remove individual policies, but that's too tedious:
HKLM\SOFTWARE\Policies
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
HKCU\Software\Policies
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
How you remove these keys during the upgrade is the question. This isn't an issue for disk images because the problem occurs only during an upgrade. If technicians are visiting desktops during the upgrade, and I hope they aren't doing that, they can remove these keys manually. Otherwise, run the Windows setup program from a batch file or a script. Then you can precede the command that starts the setup program with the commands that remove these keys. Listing 18-3 is an example of an INF file that removes them. To run this INF file from a batch file, save it in a file named Tattos.inf; then add the command %SystemRoot%\System32\rundll32.exe setupapi, InstallHinfSection DefaultInstall 132 Tattoos.inf to the batch file that starts the Windows installation. You can also script this edit using Windows Script Host (WSH), which Chapter 11, “Scripting Registry Changes,” describes how to do.
Listing 18-3 Tattoos.inf
[Version] Signature=$CHICAGO$ [DefaultInstall] DelReg=Reg.Settings [Reg.Settings] HKLM,SOFTWARE\Policies HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
There a few major issues with this script, however. The first is that the user must be an administrator to remove the policy branches from the registry. You can use the techniques described in the next section, “Elevating Privileges of Processes,” to take care of this issue or rely on your software management infrastructure. The second issue is that it removes only the per-computer policies. It doesn't remove policies from users' profile hives. You won't be able to use a script like this from a logon script or allow the user to run it because they don't have the privileges required to remove the policy branches from the registry. This is true unless you've dumped all users into the local Administrators group, which I hope you haven't done. The only reasonable solution is to load each user's profile hive in Registry Editor (Regedit), and then remove the two policy branches from it. You can more or less automate this process by writing a script that connects to a remote computer, loads each profile hive file that exists in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList, removes the policy branches, and then unloads the hive file.