Share via

When a client system is removed froma Domain how can you clear it of Domain Group Policies ?

Graham Duffy 40 Reputation points
2025-10-07T05:39:17.37+00:00

Client system - Windows 11 - part of a Doamain had an issue in that the Default Firewall Profile instead of being the Domain Firewall Profile had "slipped" to being a Public Firewall Profile. Domain, Private and Public Firewall profiles were enabled, with the default active being the Public rather than the Domain for soem reason. Thus removed the Windows 11 client from the Domain and into a Workgroup, and then logged on as the local Administrator with the intention of temporarily disabling\turning off the Public Firewall Profile, then re-joining the Windows 11 client to the Domain where it should then pick up the Domain Firewall Porfile as being active from Domain Policy. However even as local administrator and in a EWorkgroup the Windows 1 client stll had greeyed out sections that had been dne by teh Doamin policy preventing disbaling of the Public Firewall Profile either via GUI or Powershell command. How can any permanent "tatooed" domain policies be removed when a client system is in a Workgroup without having to re-install the operating system ?

Windows for business | Windows Client for IT Pros | Directory services | Deploy group policy objects
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Domic Vo 7,830 Reputation points Independent Advisor
    2025-10-07T06:13:22.71+00:00

    Dear Graham Duffy,

    It’s clear you’ve taken thoughtful steps to isolate the issue, and I appreciate your effort to resolve it without resorting to a full OS reinstallation.

    When a device is removed from a domain, certain Group Policy settings—especially those applied via registry or local policy—can remain "tattooed" on the system. These residual settings may continue to enforce restrictions, such as graying out firewall controls, even when the system is no longer domain-joined.

    Here are Recommended steps to clear domain policy remnants:

    1. Reset Local Group Policy Settings Open Command Prompt as administrator and run:
      • Code 
             RD /S /Q "%WinDir%\System32\GroupPolicy"

    RD /S /Q "%WinDir%\System32\GroupPolicyUsers" gpupdate /force ```

     This removes local policy files and forces a refresh. It does not affect registry-based policies.
    1. Manually review and clean registry-based policies Open Registry Editor (regedit) and navigate to:
      • Code 
             HKEY_LOCAL_MACHINE\SOFTWARE\Policies\

    HKEY_CURRENT_USER\SOFTWARE\Policies
    ```

     Carefully review entries under `Microsoft\WindowsFirewall` or related keys.
 
 Delete only those entries that are clearly tied to domain policies. **(Important: Back up the registry before making changes.)**
    1. Use LGPO tool (Local Group Policy Object Utility) Microsoft’s LGPO.exe can help export, analyze, and reset local policy settings more safely and systematically.
    2. Verify firewall profile behavior After cleaning policies, restart the system and check the active firewall profile using:
      • Code 
             Get-NetConnectionProfile
        Ensure the network is correctly identified (e.g., domain vs. public) and that the firewall profile reflects the expected behavior.
    3. Rejoin the domain Once cleaned, rejoin the domain and allow Group Policy to reapply correctly. Run gpupdate /force and verify that the Domain Firewall Profile becomes active.

    If this guidance proves helpful, feel free to click “Accept Answer” so we know we’re heading in the right direction 😊. And of course, I’m here if you need further clarification or support. T&B, Domic Vo

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.