Most Group Policy Objects (GPOs) comprise multiple settings for a Windows feature or an application. If you want to remove a particular setting, it will very often still leave some residue behind. Therefore, in this case, a manual rework is necessary.

It's a recommended practice to organize GPOs in a consistent and logical way so you can keep track of their settings. But continuous changes will challenge even the best order. Not only are new administrative templates added regularly, but over time, GPOs also manage different Windows and Office versions side by side. This increases not only the number but also the complexity.

Streamlining GPOs ^

So managing group policies means not only constantly adding new settings but also removing those no longer needed. It is annoying, however, when parts are removed from a complex group policy, but they are not deleted.

In this case, files may be left behind, and depending on the setup, they may continue to be replicated. In addition, the references for the Client-Side Extension (CSE) are retained, so that the processing time is not reduced despite the streamlined GPOs.

Saving GPOs before editing ^

It may therefore be useful to remove GPO components manually. However, do this with care, because an incorrect change can have far-reaching consequences. In any case, it is advisable to back up the GPOs and the system status before starting. It is also best to evaluate the changes in a test environment beforehand.

In this article, we will deal with the case where folder redirections are no longer needed, and the settings should be deleted. In my environment, the GPO U_TST_Profilmgmt is responsible for this, which includes drive assignments and folder redirections.

GPO GPO U TST Profilmgmt with the folder redirection settings to be removed

GPO GPO U TST Profilmgmt with the folder redirection settings to be removed

The folder redirection settings are in the hidden file fdeploy1.ini under the domain controller's Sysvol directory.

The folder redirection GPO setting is in the Sysvol folder in the fdeploy1.ini file

The folder redirection GPO setting is in the Sysvol folder in the fdeploy1.ini file

Now I will disable folder redirection in the GPO editor.

Disable folder redirection in the GPO editor

Disable folder redirection in the GPO editor

However, the entries are still visible in the GPO, which is misleading in more complex GPOs. In addition, the fdeploy.ini and fdeploy1.ini files also remain.

After disabling folder redirection, the setting remains in the GPO

After disabling folder redirection, the setting remains in the GPO

Later on, we will need the globally unique ID (GUID) of the group policy. This is on the Details tab in Group Policy Management. In our example, it is {686F35FD-B3A8-4CD6-A20D-85FBF5FF1E09}.

Getting the GPO's GUID from the Group Policy Management details

Getting the GPO's GUID from the Group Policy Management details

Subsequently, find the corresponding GPO by its GUID on Sysvol and delete the Documents & Settings subdirectory under the User folder.

Delete files belonging to the GPO in the User branch on Sysvol

Delete files belonging to the GPO in the User branch on Sysvol

Now an error message appears in GPO U_TST_Profilmgmt because it refers to files that no longer exist.

Group Policy Management reports an error after deletion of the files

Group Policy Management reports an error after deletion of the files

To fix this problem, the next step is to open Active Directory (AD) Users and Computers. There you have to make sure that Advanced Features is activated in the View menu.

Before editing the GPO attribute in AD Users and Computers, you need to enable Advanced Features

Before editing the GPO attribute in AD Users and Computers, you need to enable Advanced Features

In the tree structure, you can navigate to the corresponding GPO, found under <Domain> > System > Policies > [GUID] {686F35FD-B3A8-4CD6-A20D-85FBF5FF1E09}.

Select the appropriate GPO entry in AD and edit the gPCUserExtensionNames attribute

Select the appropriate GPO entry in AD and edit the gPCUserExtensionNames attribute

Then select the Properties command in the GPO's context menu. In the following dialog, switch to the Attribute Editor tab and edit the gPCUserExtensionNames attribute.

Now I will delete only the part that relates to folder redirection, including the square brackets (it is best to copy the attribute value into an external editor). In this case, the GUID of the setting is {25537BA6-77A8-11D2-9B6C-0000F8080861}, and the whole expression looks like this:

[{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}]

You can retrieve the CSE GUIDs needed here from the Registry with this PowerShell command:

Reading CSE GUIDs from the Registry with PowerShell

Reading CSE GUIDs from the Registry with PowerShell

Alternatively, there is a nicely formatted list on Martin Binder's website.

Please note that you must keep the remaining part and the brackets. In my example, this would be:

[{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]

After leaving the editor, confirm the warning and save the changes.

The disabled setting will disappear after cleaning up the GPO

The disabled setting will disappear after cleaning up the GPO

Now that this part of the GPO is no longer visible, the error has disappeared, and the unnecessary files have been deleted. Similarly, you can also clean up other GPOs using this method.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

5+
avataravatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account