- Deactivate update notifications on Windows Server - Wed, Jun 3 2020
- Remove unneeded settings from Group Policy Objects - Thu, Apr 23 2020
- Configure spam filter in Exchange Online Protection (EOP) using PowerShell - Wed, Dec 18 2019
It's a recommended practice to organize GPOs in a consistent and logical way so you can keep track of their settings. But continuous changes will challenge even the best order. Not only are new administrative templates added regularly, but over time, GPOs also manage different Windows and Office versions side by side. This increases not only the number but also the complexity.
Streamlining GPOs ^
So managing group policies means not only constantly adding new settings but also removing those no longer needed. It is annoying, however, when parts are removed from a complex group policy, but they are not deleted.
In this case, files may be left behind, and depending on the setup, they may continue to be replicated. In addition, the references for the Client-Side Extension (CSE) are retained, so that the processing time is not reduced despite the streamlined GPOs.
Saving GPOs before editing ^
It may therefore be useful to remove GPO components manually. However, do this with care, because an incorrect change can have far-reaching consequences. In any case, it is advisable to back up the GPOs and the system status before starting. It is also best to evaluate the changes in a test environment beforehand.
In this article, we will deal with the case where folder redirections are no longer needed, and the settings should be deleted. In my environment, the GPO U_TST_Profilmgmt is responsible for this, which includes drive assignments and folder redirections.
GPO GPO U TST Profilmgmt with the folder redirection settings to be removed
The folder redirection settings are in the hidden file fdeploy1.ini under the domain controller's Sysvol directory.
The folder redirection GPO setting is in the Sysvol folder in the fdeploy1.ini file
Now I will disable folder redirection in the GPO editor.
Disable folder redirection in the GPO editor
However, the entries are still visible in the GPO, which is misleading in more complex GPOs. In addition, the fdeploy.ini and fdeploy1.ini files also remain.
After disabling folder redirection, the setting remains in the GPO
Later on, we will need the globally unique ID (GUID) of the group policy. This is on the Details tab in Group Policy Management. In our example, it is {686F35FD-B3A8-4CD6-A20D-85FBF5FF1E09}.
Getting the GPO's GUID from the Group Policy Management details
Subsequently, find the corresponding GPO by its GUID on Sysvol and delete the Documents & Settings subdirectory under the User folder.
Delete files belonging to the GPO in the User branch on Sysvol
Now an error message appears in GPO U_TST_Profilmgmt because it refers to files that no longer exist.
Group Policy Management reports an error after deletion of the files
To fix this problem, the next step is to open Active Directory (AD) Users and Computers. There you have to make sure that Advanced Features is activated in the View menu.
Before editing the GPO attribute in AD Users and Computers, you need to enable Advanced Features
In the tree structure, you can navigate to the corresponding GPO, found under <Domain> > System > Policies > [GUID] {686F35FD-B3A8-4CD6-A20D-85FBF5FF1E09}.
Select the appropriate GPO entry in AD and edit the gPCUserExtensionNames attribute
Then select the Properties command in the GPO's context menu. In the following dialog, switch to the Attribute Editor tab and edit the gPCUserExtensionNames attribute.
Now I will delete only the part that relates to folder redirection, including the square brackets (it is best to copy the attribute value into an external editor). In this case, the GUID of the setting is {25537BA6-77A8-11D2-9B6C-0000F8080861}, and the whole expression looks like this:
[{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}]
You can retrieve the CSE GUIDs needed here from the Registry with this PowerShell command:
1 | gci "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions" | Out-GridView |
Reading CSE GUIDs from the Registry with PowerShell
Alternatively, there is a nicely formatted list on Martin Binder's website.
Please note that you must keep the remaining part and the brackets. In my example, this would be:
[{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
After leaving the editor, confirm the warning and save the changes.
The disabled setting will disappear after cleaning up the GPO
Now that this part of the GPO is no longer visible, the error has disappeared, and the unnecessary files have been deleted. Similarly, you can also clean up other GPOs using this method.
Want to write for 4sysops? We are looking for new authors.
Read 4sysops without ads and for free by becoming a member!
Is there an automated way of doing this?
Hi Sandy, I don't have a automated way or script which does this. Please be carefull if you change GPOs in a row.