- Send emails in Exchange Online using an alias address: Configuration with PowerShell and admin center - Tue, Jun 29 2021
- Deactivate update notifications on Windows Server - Wed, Jun 3 2020
- Remove unneeded settings from Group Policy Objects - Thu, Apr 23 2020
It's a recommended practice to organize GPOs in a consistent and logical way so you can keep track of their settings. But continuous changes will challenge even the best order. Not only are new administrative templates added regularly, but over time, GPOs also manage different Windows and Office versions side by side. This increases not only the number but also the complexity.
Streamlining GPOs ^
So managing group policies means not only constantly adding new settings but also removing those no longer needed. It is annoying, however, when parts are removed from a complex group policy, but they are not deleted.
In this case, files may be left behind, and depending on the setup, they may continue to be replicated. In addition, the references for the Client-Side Extension (CSE) are retained, so that the processing time is not reduced despite the streamlined GPOs.
Saving GPOs before editing ^
It may therefore be useful to remove GPO components manually. However, do this with care, because an incorrect change can have far-reaching consequences. In any case, it is advisable to back up the GPOs and the system status before starting. It is also best to evaluate the changes in a test environment beforehand.
In this article, we will deal with the case where folder redirections are no longer needed, and the settings should be deleted. In my environment, the GPO U_TST_Profilmgmt is responsible for this, which includes drive assignments and folder redirections.
The folder redirection settings are in the hidden file fdeploy1.ini under the domain controller's Sysvol directory.
Now I will disable folder redirection in the GPO editor.
However, the entries are still visible in the GPO, which is misleading in more complex GPOs. In addition, the fdeploy.ini and fdeploy1.ini files also remain.
Later on, we will need the globally unique ID (GUID) of the group policy. This is on the Details tab in Group Policy Management. In our example, it is {686F35FD-B3A8-4CD6-A20D-85FBF5FF1E09}.
Subsequently, find the corresponding GPO by its GUID on Sysvol and delete the Documents & Settings subdirectory under the User folder.
Now an error message appears in GPO U_TST_Profilmgmt because it refers to files that no longer exist.
To fix this problem, the next step is to open Active Directory (AD) Users and Computers. There you have to make sure that Advanced Features is activated in the View menu.
In the tree structure, you can navigate to the corresponding GPO, found under <Domain> > System > Policies > [GUID] {686F35FD-B3A8-4CD6-A20D-85FBF5FF1E09}.
Then select the Properties command in the GPO's context menu. In the following dialog, switch to the Attribute Editor tab and edit the gPCUserExtensionNames attribute.
Now I will delete only the part that relates to folder redirection, including the square brackets (it is best to copy the attribute value into an external editor). In this case, the GUID of the setting is {25537BA6-77A8-11D2-9B6C-0000F8080861}, and the whole expression looks like this:
[{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}]
You can retrieve the CSE GUIDs needed here from the Registry with this PowerShell command:
gci "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions" | Out-GridView
Alternatively, there is a nicely formatted list on Martin Binder's website.
Please note that you must keep the remaining part and the brackets. In my example, this would be:
[{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
After leaving the editor, confirm the warning and save the changes.
Now that this part of the GPO is no longer visible, the error has disappeared, and the unnecessary files have been deleted. Similarly, you can also clean up other GPOs using this method.
Is there an automated way of doing this?
Hi Sandy, I don't have a automated way or script which does this. Please be carefull if you change GPOs in a row.
This helped thanks!
I had to delete an additional GUID. According to Martin’s website it also relates to Folder Redirection:
{88E729D6-BDC1-11D1-BD2A-00C04FB9603F} FolderRedirection_1 – Ordnerumleitung