Remove unneeded settings from Group Policy Objects

Most Group Policy Objects (GPOs) comprise multiple settings for a Windows feature or an application. If you want to remove a particular setting, it will very often still leave some residue behind. Therefore, in this case, a manual rework is necessary.

Author
Recent Posts

Benjamin Bürk

Benjamin Bürk is a senior systems engineer who has been managing IT infrastructures for companies since 2002. His focus is on server operations and especially on Remote Desktop Services (RDS) environments. Further competences are unified communications, virtualization, and Active Directory management. He holds MCSA 2008 and 2012 certifications.

Latest posts by Benjamin Bürk (see all)

Remove unneeded settings from Group Policy Objects - Thu, Apr 23 2020
Configure spam filter in Exchange Online Protection (EOP) using PowerShell - Wed, Dec 18 2019
Manage Outlook spam filters using PowerShell and GPOs - Mon, Dec 9 2019

Contents of this article

Streamlining GPOs
Saving GPOs before editing

It's a recommended practice to organize GPOs in a consistent and logical way so you can keep track of their settings. But continuous changes will challenge even the best order. Not only are new administrative templates added regularly, but over time, GPOs also manage different Windows and Office versions side by side. This increases not only the number but also the complexity.

Streamlining GPOs ^

So managing group policies means not only constantly adding new settings but also removing those no longer needed. It is annoying, however, when parts are removed from a complex group policy, but they are not deleted.

In this case, files may be left behind, and depending on the setup, they may continue to be replicated. In addition, the references for the Client-Side Extension (CSE) are retained, so that the processing time is not reduced despite the streamlined GPOs.

Saving GPOs before editing ^

It may therefore be useful to remove GPO components manually. However, do this with care, because an incorrect change can have far-reaching consequences. In any case, it is advisable to back up the GPOs and the system status before starting. It is also best to evaluate the changes in a test environment beforehand.

In this article, we will deal with the case where folder redirections are no longer needed, and the settings should be deleted. In my environment, the GPO U_TST_Profilmgmt is responsible for this, which includes drive assignments and folder redirections.

GPO GPO U TST Profilmgmt with the folder redirection settings to be removed

The folder redirection settings are in the hidden file fdeploy1.ini under the domain controller's Sysvol directory.

The folder redirection GPO setting is in the Sysvol folder in the fdeploy1.ini file

Now I will disable folder redirection in the GPO editor.

Disable folder redirection in the GPO editor

However, the entries are still visible in the GPO, which is misleading in more complex GPOs. In addition, the fdeploy.ini and fdeploy1.ini files also remain.

After disabling folder redirection, the setting remains in the GPO

Later on, we will need the globally unique ID (GUID) of the group policy. This is on the Details tab in Group Policy Management. In our example, it is {686F35FD-B3A8-4CD6-A20D-85FBF5FF1E09}.

Getting the GPO's GUID from the Group Policy Management details

Subsequently, find the corresponding GPO by its GUID on Sysvol and delete the Documents & Settings subdirectory under the User folder.

Delete files belonging to the GPO in the User branch on Sysvol

Now an error message appears in GPO U_TST_Profilmgmt because it refers to files that no longer exist.

Group Policy Management reports an error after deletion of the files

To fix this problem, the next step is to open Active Directory (AD) Users and Computers. There you have to make sure that Advanced Features is activated in the View menu.

Before editing the GPO attribute in AD Users and Computers, you need to enable Advanced Features

In the tree structure, you can navigate to the corresponding GPO, found under <Domain> > System > Policies > [GUID] {686F35FD-B3A8-4CD6-A20D-85FBF5FF1E09}.

Select the appropriate GPO entry in AD and edit the gPCUserExtensionNames attribute

Then select the Properties command in the GPO's context menu. In the following dialog, switch to the Attribute Editor tab and edit the gPCUserExtensionNames attribute.

Now I will delete only the part that relates to folder redirection, including the square brackets (it is best to copy the attribute value into an external editor). In this case, the GUID of the setting is {25537BA6-77A8-11D2-9B6C-0000F8080861}, and the whole expression looks like this:

[{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}]

You can retrieve the CSE GUIDs needed here from the Registry with this PowerShell command:

gci "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions" | Out-GridView

1	gci "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions" \| Out-GridView

Reading CSE GUIDs from the Registry with PowerShell

Alternatively, there is a nicely formatted list on Martin Binder's website.

Please note that you must keep the remaining part and the brackets. In my example, this would be:

[{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]

After leaving the editor, confirm the warning and save the changes.

The disabled setting will disappear after cleaning up the GPO

Now that this part of the GPO is no longer visible, the error has disappeared, and the unnecessary files have been deleted. Similarly, you can also clean up other GPOs using this method.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!