Tattooing with Group Policy
No, we are not using group policy to put your skull and crossbones tattoo on people. Tattooing is in reference to policies that make changes to the registry that are not removed after the policy is removed. These changes are Permanent and require the admin to manually remove them. I have seen Tattooing become a problem after windows upgrade/update. Polices that effect anything outside 4 registry zones, will tattoo.
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
- HKEY_CURRENT_USER\SOFTWARE\Policies
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Thankfully, most out-of-box Microsoft windows policies fall under these four registry keys. Microsoft has also made almost everything they need to be inside these registry keys as well. For example, all the explorer policies live under:
HKCU\Software\Micorosoft\Windows\CurrrentVersion\Policies\Explorer
Thus whenever you remove a policy setting for the Explorer, when the computer pulls down the new policy settings, it will detect the change and remove the explorer policies that were in place.
What kind of policies will tattoo then if everything is set to write to the correct registry locations? Well, custom software will do this. Back in the day, Adobe Reader’s ADM would write to HKLM\Softwares\Adobe. Thankfully it now writes to the policies hive. Chrome will also do this and sometimes needs to be manually removed.
Other Types of Tattooing
Anything that changes the system as a whole. For example, Folder Redirection policies can leave people’s folders on other servers and such. Roaming profiles also provide issues as the files live on another server. My favorite problem child is printers. The printer is installed and will need to be removed with the GPO or you will tattoo. Another good one is direct registry edits with group policy. Icons are another example of another tattooing. WDS application pushouts as well will tattoo the system with software.
Final Words
CYA! Always test a GPO before sending it out. Add it and then remove it. Research the GPO, and plan everything out. GPO is easy to do, almost a no brainer. Anyone can go to youtube and figure out how to do it. The truth behind GPO is why you should do it, and can it be undone. I have personally tattooed icons and printers in my past. So, always and I mean always, plan it out, test, undo, test again, and then deploy.