Removing Policy Tattoos

Tattoos are a significant problem with System Policy, which versions of Windows before Windows 2000 supported. Tattooing means that policies make permanent changes to the registry. The administrator must explicitly remove those policies. For example, if you create a policy file, which has the .pol extension, and Windows applies its settings to the registry, when you remove the policy file, the settings remain. To remove those policies, you must remove the settings from the registry or edit the policy file to remove the settings.

Tattoos become more problematic when you upgrade to Windows XP from an earlier version of Windows. It's also a problem when you deploy Windows XP on a network that doesn't have Active Directory but uses System Policy, and then deploy Active Directory down the line. The upgrade process doesn't remove System Policy settings from the registry during an upgrade, so those settings remain. The shotgun approach is to remove the following keys from each computer's registry and each user's profile hive before upgrading to Windows XP; the surgical approach is to remove individual policies, but that's too tedious:

• HKLM\SOFTWARE\Policies

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

• HKCU\Software\Policies

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

How you remove these keys during the upgrade is the question. This isn't an issue for disk images because the problem occurs only during an upgrade. If technicians are visiting desktops during the upgrade, and I hope they aren't doing that, they can remove these keys manually. Otherwise, run the Windows XP setup program from a batch file or script. Then you can precede the command that starts the setup program with the commands that remove these keys. Listing 15-4 is an example of an INF file that removes them. To run this INF file from a batch file, save it in a file called Tattos.inf; then add the command %SystemRoot% \System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 Tattoos.inf to the batch file that starts the Windows XP installation. You can also script this edit using Windows Script Host, which Chapter 9, "Scripting Registry Changes," describes how to do.

Listing 15-4: Tattoos.inf

 [Version] Signature=$CHICAGO$ [DefaultInstall] DelReg=Reg.Settings [Reg.Settings] HKLM,SOFTWARE\Policies HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies 

There a few major issues with this script, however. The first is that the user must be an administrator to remove the policy branches from the registry. You can use the techniques described in the next section, "Elevating Processes' Privileges," to take care of this issue or rely on your software management infrastructure. The second issue is that it removes only the per-computer policies. It doesn't remove policies from users' profile hives. You won't be able to use a script like this from a logon script or allow the user to run it because they don't have the privileges required to remove the policy branches from the registry. This is true unless you've dumped all users in to the local Administrators group, which I hope you haven't done. The only reasonable solution is to load each user's profile hive in Registry Editor (Regedit), and then remove the two policy branches from it. You can more or less automate this process by writing a script that connects to a remote computer, loads each profile hive file that exists in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion \ProfileList, removes the policy branches, and then unloads the hive file.