1 min read

GPO Settings Still Set After Removal?

Picture of Robbz Olson Robbz Olson : June 4, 2026

GPO Settings Still Set After Removal?

I ran into something quite odd the other day.

A group of settings that were clearly configured on an endpoint... but there was nothing in GPO applying it. 

No RSOP evidence
No active policy
Nothing in scope at all

Yet the setting was there alive and well. At first glance, it looked like a misconfiguration, maybe replication lag. Possible someone pushed a local config change? 

But it wasn't any of those, It was Group Policy Tattooing. 

Group Policy Tattooing is when a policy writes a setting (usually into the registry)… and doesn’t remove it when the policy no longer applies.

So the GPO disappears—but the configuration doesn’t. You’re left with a machine that looks managed… but isn’t.

This usually isn't some wild edge case. It's just normal behavior just not normally noticed. Tattooing shows up when:

- Group Policy Preferences use Create or Update (they write, but don’t undo)
- Scripts or manual changes set registry values once
- Policies fall out of scope (OU change, unlink, security filtering) without cleanup

In other words:
Anything that sets state once without enforcing or reversing it… leaves a mark.

THE FIX
Here’s the part most people don’t love:
There’s no “undo tattooing” button.

You have to be intentional.

1. Clean up the existing state

Manually remove the registry values
Or deploy a GPO / script to delete them

If you don’t explicitly remove it, it stays.

2. Use the right GPP actions

Replace = enforce state
Delete = clean up
Avoid “Update and forget”

3. Shift to enforcement-based policies
If it matters, it should be continuously applied—not just written once.

4. Validate the endpoint, not just GPOs
RSOP shows policy.
The registry shows reality.

You need both.

FOOD FOR THOUGHT

What we we found wasn't a broken policy, it was a leftover decision. Those are always harder to troubleshoot than something thats actively wrong. 

If this surprised you, that's the real problem. It means you don't actually know your current confiuration state, you're assuming it, and in security, assumptions are where 𝐫𝐢𝐬𝐤 𝐥𝐢𝐯𝐞𝐬. 

If you don't want to make assumptions and know what your baseline is actually set to, pm me, I live hardened baselines ☺️