Forum Discussion
GroupPolicy/Registry issue
My MDR product is having an issue with scanning the registry of our hosts. It times out and causes performance issues, essentially bringing down the host. I opened a case with their support and we narrowed the issue down to this reg key:
Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
There are hundreds of sub keys, each with their own sub keys. It seems each time group policy is applied to the host, 2 new keys are created, a machine and a user key. As a test, I deleted everything under the main key and rebooted. After logging back in, 2 new keys had been created. After a day I checked again and there were a dozen or more. Now after a few weeks we're back up to hundreds. Does anyone have any ideas as how to automatically clean up the older entries to keep the number to a minimum? Or is there a way to stop this behavior? Thanks
7 Replies
After about 3 days now, we are up to 74 keys.
I ran gpresult /r and it's not applying anything really:
gpresult /r
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© Microsoft Corporation. All rights reserved.
Created on 8/29/2025 at 7:07:45 AM
RSOP data for : Logging Mode
--------------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 10.0.26100
Site Name: N/A
Roaming Profile: N/A
Local Profile: C:\Users\
Connected over a slow link?: No
USER SETTINGS
--------------
Last time Group Policy was applied: 8/29/2025 at 6:45:16 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name:
Domain Type: <Local Computer>
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Unknown Reason)
The user is a part of the following security groups
---------------------------------------------------
None
Everyone
Local account and member of Administrators group
View Agent Direct-Connection Users
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
Local account
LOCAL
NTLM Authentication
High Mandatory Levelwhat you can do in the first case, just create a new UO and block all GPO, put your host in that UO and see without GPO if your computer still have the issue. From there, you can put 1 GPO at the time and you will see who goes wrong with your host.
Thank you for the suggestion. So I created a new OU, blocked GPO inheritance and moved a test host into the OU. I deleted every key under Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects the rebooted. I logged into the host as a local user to keep any domain user GPOs from being applied, and when I checked the registry, there were 2 new keys. I rebooted, logged back in and checked to find 6 total keys. I rebooted a 3rd time and there were still just the 6 keys. I waited a bit, rebooted again and found a total of 10 keys in there. Then I let the host sit for a couple hours and now there are 16 keys. Even with block inheritance enabled, GPOs are being created in the registry. Any other ideas are appreciated. Thanks
Thank you for the suggestion. So I created a new OU, blocked all GPO inheritance and moved a test host into it. I deleted every key under Computer\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
rebooted and logged in as a local user, to keep any domain user GPOs from being applied. When I opened registry editor, two new keys had been created. I rebooted again and after logging in and opening the registry, there were a total of 6 keys. I rebooted a third time and checked to find 8 keys there. A 4th reboot did not yield any new keys but I give it 30-60 minutes and see if there are any additional keys.
in that case, did you try rsop.msc to check if you have a local gpo on your local computer?
you can tell what is the key in the gpo ?
