Question: A couple of years ago, SNMP settings were added to an ADM template that was applied to all servers. About a year ago, the settings in the ADM template that applied to SNMP were removed. The issue is that all servers are still having the settings set somehow, even new server builds.
When I run a RSOP on a server it points to a specific GPO that these settings are coming from. But when I edit the GPO, the settings are not there and they are not in the ADM template either. (We use one ADM template only, as a standard). Why are these settings still being set? Where are they being set from? How can I get rid of them from applying to servers?
Answer: It looks like a custom ADM template was designed to write registry values outside of the Policies keys within the registry, which are considered preferences and not true policy settings. Here is some information from a white paper on managing registry-based policy settings:
Approved registry key location for computer group policy settings:
HKLMSoftwarePolicies (The preferred location)
Approved registry key location for user group policy settings:
HKCUSoftwarePolicies (The preferred location)
It is possible for an administrator to write an ADM file that sets registry values outside of the approved Group Policy registry trees shown above. In this case, the administrator is only ensuring that a given registry key or value is set in a particular way. With this approach, the administrator configures preference settings, instead of true policy settings, and marks the registry with these settings (that is, the settings persist in the registry even if the preference setting is disabled or deleted).
The question states: "About a year ago, the settings in the ADM template that applied to SNMP were removed. The issue is that all servers are still having the settings set somehow, even new server builds." This is what is causing the problem for the old servers and the new servers. Just removing the SNMP settings from the ADM template will not cause the SNMP settings already applied to servers to be removed and the settings will persist in the registry as explained in the information from the whitepaper above. Why the SNMP settings are being applied to new servers is because of how registry based policy settings within a GPO are configured, stored within the GPO and then processed by a client machine.
When you edit a GPO, the ADM templates for the GPO determine what registry based policy settings you can configure with that GPO. The registry based policy settings configured in a GPO are not stored within the ADM templates for the GPO - they are stored within the Registry.pol file for the GPO. Each GPO will have up to two Registry.pol files, one that contains the machine registry settings and one that contains the user registry settings. When client machines process registry based policy settings from a GPO, the settings are read from the Registry.pol file for the GPO and then written to the registry on the client machine. This is also how RSOP data for registry based policy settings are generated, the settings are read from the Registry.pol file for the GPO and then displayed in the RSOP results.
Since the SNMP settings were just removed from the ADM template without changing the SNMP settings originally configured in the GPO, the Registry.pol file for the machine registry settings still contains the data for the SNMP settings that were originally configured. Because of this any new server processing the GPO will still receive the SNMP settings originally configured in the GPO. Then when you run RSOP on a server, because of the data in the Registry.pol file, it points you back to a specific GPO - but when you edit the GPO the SNMP settings are not there because they were removed from the ADM template so you no longer have the option to configure them.
To fix this you need to add the SNMP settings that were originally in the ADM template back to an ADM template within the same GPO that RSOP is showing the SNMP settings are coming from. Then you need to re-configure the SNMP settings to stop writing the values into the registry or change the values being written into the registry, which will update the Registry.pol file for the GPO. How this needs to be done for sure I can't say, because it depends on how the ADM template was originally configured. What options you have for writing and configuring ADM templates are documented in the Using Administrative Template Files with Registry-Based Group Policy
About the author:This installment of "Ask Microsoft" was answered by Brian Davies, Technologist on the Identity and Access Management team.