Skip to content

AD Tripwires - Removing Domain Policy

Note: Removing the Domain Policy does not fully remove AD Tripwires. Additional steps are required to clean up tripwire accounts, agent configuration, and related infrastructure.

Edit existing policy to configure removal of scheduled task

  1. Open Group Policy Management Console (gpmc.msc)
  2. Locate the existing H3 IoA Policy object inside the Group Policy Objects container.

  3. Right click on the policy object and click the Edit option from the context menu.

    GPMC Policy Context Menu

  4. Once the Group Policy Management Editor opens, use the sidebar to navigate to Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks

    GMPC Editor Sidebar

  5. Right click on the scheduled task in the list. Click Properties from the context menu.

    GPMC Editor Scheduled Task Context Menu

  6. Once the Scheduled Task Properties Dialog window opens, navigate to the General tab if it isn't there already.

  7. Change the Action dropdown from Replace to Delete.

    GPMC Editor Scheduled Task Action

  8. Click Apply and then OK.

  9. Close the Group Policy Management Editor window.

  10. ATTENTION: Wait for group policy to replicate to all domain controllers

    Typical Timeframes

    Small domains (1-10 DCs): 15 minutes to 1 hour

    Medium enterprises (10-50 DCs): 1-4 hours

    Large enterprises (50+ DCs): 2-8 hours

    Very large/global enterprises: 8-24 hours

You can also run gpupdate /force on individual domain controllers to force an immediate Group Policy refresh.

  1. Spot check domain controllers to verify that scheduled task has been removed
    1. Open Windows Task Scheduler (taskschd.msc)

    2. Verify that the IoA Collector task does not appear in the Task Scheduler Library.

      Task Scheduler Library

Remove Group Policy Object

Once the GPO has replicated and removed the scheduled task from all domain controllers, the group policy itself can be unlinked and removed.

  1. Open Group Policy Management Console (gpmc.msc)

  2. Locate the H3 IoA Policy link under the Domain Controllers OU and right click on the link and select Delete from the context menu.

    GPMC GPO Link Context Menu

  3. Locate the H3 IoA Policy object under the Group Policy Objects container. Right click on the policy object and select Delete from the context menu.

    GPMC GPO Context Menu