Solved

Defunct SBS 2003 - What about the GPOs and O.U ?

Posted on 2011-03-01
5
771 Views
Last Modified: 2012-05-11
Hi dear Experts,

A couple of time ago, we lost our SBS 2003 standard (Primary D.C, DNS and Exchange). We managed to restore the GPOS and transfer everything (roles etc) to a secondary D.C (having Server 2003 Standard only) that is acting as the primary D.C/DNS now.

I had to restore few GPO back then so Active Directory stops complaining but everything else seemed to be fine. Now when browsing the Group Policy Management, I do see those old 'SBS GPOs' (see attachment) but they do not seems to be in use anymore. Is it safe to delete them without harming my structure ? I do see old O.U too, are those safe to delete as well ?

We plan to introduce a Server 2008 R2 standard with Exchange 2010 in this topology in a near future so I was wondering if any of these could cause us problems.

Any help would be greatly appreciated

Best Regards  
old-sbs-gpo.jpg
0
Comment
Question by:Eric_Gennaoui
  • 2
  • 2
5 Comments
 
LVL 7

Assisted Solution

by:ManicD
ManicD earned 200 total points
ID: 35008336
According to that image those GPOs are LINKED and IN USE!!!

Do not delete them!!

First take the GPO links (the ones not in the GPO objects folder)

Delete the links, wait a week to see if anything changes.
If all is fine, delete the GPO's

As for the actual Organisational Units (AD folders), Thouroughly check that each is empty before deleting them.
Once you are sure they are empty, check again!!!

then remove them
0
 
LVL 8

Assisted Solution

by:devinnoel
devinnoel earned 300 total points
ID: 35008446
Select a GPO in the Group Policy Management Console (where your screenshots were taken). The Scope tab should be the default tab open. If the top window that says "Links" doesn't have anything listed in it, that GPO isn't applied anywhere.

However from your screenshot most of the SBS GPO's are linked to the root entry of your domain:

Small Business Server Client Computer
Small Business Server Domain Password Policy
Small Business Server Internet Connection Firewall
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy

Small Business Server Windows Firewall (appears faded which means the link is disabled, so that one is not getting applied)

If you delete those GPO's applied to the root of your domain, the settings they enforce will stop being enforced.

The other non Small Bsiness Server GPO's don't appear to be applied anywhere that I can see. If they aren't, deleting them wouldn't cause problems. Then again, leaving them around not linked anywhere wouldn't cause any problems either & you could re-link them and/or update them to use again if you ever had the need.
0
 
LVL 2

Author Comment

by:Eric_Gennaoui
ID: 35008862
Thanks ManicD and devinnoel for your quick replies.

I unlinked all the Small Business* related GPO from the root of my domain (see 2nd attachment) and applied a 'gpupdate /force' and it seems that the GPOs were applied successfully....So I will let them be and see if any issues occurs before deleting them. Does the 'Group Policy Objects' (bottom part) would be remove when deleting them ?

As for the O.U, I will wait and see if we still need them (if no i will make sure they are empty) before proceeding with the removal.

So..bottom of the line is :

1. Unlink the GPOs and see if any issue occurs
2. If none, we can safely delete the GPOs
3. If everything is fine and they are empty, safely delete the O.U

Those 3 steps make sense right If I understood you guys correctly ?

Thanks
old-gpo-unlinked.jpg
0
 
LVL 8

Accepted Solution

by:
devinnoel earned 300 total points
ID: 35008950
So..bottom of the line is :

1. Unlink the GPOs and see if any issue occurs
2. If none, we can safely delete the GPOs
3. If everything is fine and they are empty, safely delete the O.U

Those 3 steps make sense right If I understood you guys correctly ?

Pretty much, should work fine. I tend to keep old GPO's around just in case I find out I really needed them later if it was a really complex GPO, but you can always rebuild them. Might not hurt to backup the GPO's (Right click on a GPO, select Backup, etc.) before you delete them, just in case.

If nothing is in an OU & there is no GPO applied it is safe to delete. OU's are pretty trivial to recreate if needed, so no real worries there. Even if a GPO is applied to an OU, you won't delete a GPO when you delete the OU, just the link. Be careful, if you delete an OU that has items in it (users, computers, sub-OU's) all objects in that OU will be deleted.

I have a couple small SBS domains in addition to the main domain I support that I'm finally consolidating & getting rid of. Despite the fact I never really used any of the SBS GPO's I never bothered deleting them just in case I needed them at some point & because they did no harm just sitting there unlinked.
0
 
LVL 2

Author Comment

by:Eric_Gennaoui
ID: 35009029
Ok thanks for confirming my thoughts. I will then leave those GPOs (since in your experience confirm they do not harm) as they are bu 'unlinked' only.

I will split the point between devinnole and ManicD, but giving more points to devinnoel since his answers were more thorough.

Best Regards
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now