I recently had someone ask if there was a way to get rid of those pesky “Extra Registry Settings” that sometimes appear in a GPO settings report in GPMC. You know, the ones that look like this:

Extra Registry Settings as shown in a GPO

These settings arise within the Administrative Templates section of the GPO’s namespace because they were set using ADM or ADMX files that can no longer be found (that is, they are no longer in the ADMX Central Store, in the ADM folder under the GPO in SYSVOL, in the local c:\windows\policydefinitions,etc.). They become, in essence, unmanageable within the GPO. If you were to start GP Editor on this GPO shown above, you would not see these settings anywhere in the Administrative Templates namespace, which is the problem. They have essentially become TRAPPED in the GPO, doomed to wander lost within the bowels of the GPO like some kind of registry zombie…

OK, maybe that’s a bit dramatic, but the point is, if you no longer have the underlying ADMX or ADM files that represented those registry settings, you won’t see them in the GP Editor and therefore cannot unset them. Or can you?

PowerShell to the Rescue (again–sheesh PowerShell you are so annoyingly good)

The good news is that there is a way you can remove these zombies, thanks to the Group Policy (import-module -name GroupPolicy) PowerShell module. The module has a useful set of cmdlets that allow you to read and write directly to the underlying storage file–registry.pol— where Administrative Templates settings are stored. These cmdlets are:

Get-GPRegistryValue

Remove-GPRegistryValue

Set-GPRegistryValue

The cmdlet that is going to help us in this case, is Remove-GPRegistryValue, which lets us manually pluck registry entries out of the registry.pol file within a GPO’s storage in SYSVOL. The syntax is pretty straightforward. The GPMC settings report shown above gives you all the information you need to know–namely the registry key and value to remove–under the “setting” column in the report. For example, in the figure above, the first entry is this:

Software\Policies\Microsoft\Office\11.0\Word\DisabledCmdBarItemsCheckBoxes\FileOpenToolsFind

Because it’s under the User Configuration portion of the GPO, I know it’s within the HKEY_CURRENT_USER (HKCU) hive (HKEY_LOCAL_MACHINE (HKLM) corresponds to settings under Computer Configuration) . So, if I want to remove that entry from the GPO, I simply open up PowerShell (making sure I’m running as a user that has modify permissions on the GPO) and enter:

Remove-GPRegistryValue -Name "Office Deployment" -Key "HKCU\Software\Policies\Microsoft\Office\11.0\Word\Disable
dCmdBarItemsCheckBoxes" -ValueName "FileOpenToolsFind"

The cmdlet confirms the operation by returning information about the GPO, as shown here:

Output from the Remove-GPRegistryValue cmdlet

I can also use a slight variation on that command to take out large numbers of entries, if I have a bunch of registry values under the same key, as I do in my screen shot above. Namely, I can use this syntax:

Remove-GPRegistryValue -Name "Office Deployment" -Key "HKCU\Software\Policies\Microsoft\Office\11.0\Word\Disable
dCmdBarItemsCheckBoxes"

And by leaving off the -ValueName parameter, the cmdlet removes all entries under that key, within the GPO. This leaves me with quite a few less extra registry settings, as you can see below. The rest I can just pick off one by one.

A GPO with Extra Registry Settings Removed

In the end, if you don’t have access to the original ADM(X) files, using this cmdlet is a quick and easy way to rid yourself of those pesky reg zombies!

Enjoy