Solved

Defunct SBS 2003 - What about the GPOs and O.U ?

Posted on 2011-03-01
5
777 Views
Last Modified: 2012-05-11
Hi dear Experts,

A couple of time ago, we lost our SBS 2003 standard (Primary D.C, DNS and Exchange). We managed to restore the GPOS and transfer everything (roles etc) to a secondary D.C (having Server 2003 Standard only) that is acting as the primary D.C/DNS now.

I had to restore few GPO back then so Active Directory stops complaining but everything else seemed to be fine. Now when browsing the Group Policy Management, I do see those old 'SBS GPOs' (see attachment) but they do not seems to be in use anymore. Is it safe to delete them without harming my structure ? I do see old O.U too, are those safe to delete as well ?

We plan to introduce a Server 2008 R2 standard with Exchange 2010 in this topology in a near future so I was wondering if any of these could cause us problems.

Any help would be greatly appreciated

Best Regards  
old-sbs-gpo.jpg
0
Comment
Question by:Eric_Gennaoui
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 7

Assisted Solution

by:ManicD
ManicD earned 200 total points
ID: 35008336
According to that image those GPOs are LINKED and IN USE!!!

Do not delete them!!

First take the GPO links (the ones not in the GPO objects folder)

Delete the links, wait a week to see if anything changes.
If all is fine, delete the GPO's

As for the actual Organisational Units (AD folders), Thouroughly check that each is empty before deleting them.
Once you are sure they are empty, check again!!!

then remove them
0
 
LVL 8

Assisted Solution

by:devinnoel
devinnoel earned 300 total points
ID: 35008446
Select a GPO in the Group Policy Management Console (where your screenshots were taken). The Scope tab should be the default tab open. If the top window that says "Links" doesn't have anything listed in it, that GPO isn't applied anywhere.

However from your screenshot most of the SBS GPO's are linked to the root entry of your domain:

Small Business Server Client Computer
Small Business Server Domain Password Policy
Small Business Server Internet Connection Firewall
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy

Small Business Server Windows Firewall (appears faded which means the link is disabled, so that one is not getting applied)

If you delete those GPO's applied to the root of your domain, the settings they enforce will stop being enforced.

The other non Small Bsiness Server GPO's don't appear to be applied anywhere that I can see. If they aren't, deleting them wouldn't cause problems. Then again, leaving them around not linked anywhere wouldn't cause any problems either & you could re-link them and/or update them to use again if you ever had the need.
0
 
LVL 2

Author Comment

by:Eric_Gennaoui
ID: 35008862
Thanks ManicD and devinnoel for your quick replies.

I unlinked all the Small Business* related GPO from the root of my domain (see 2nd attachment) and applied a 'gpupdate /force' and it seems that the GPOs were applied successfully....So I will let them be and see if any issues occurs before deleting them. Does the 'Group Policy Objects' (bottom part) would be remove when deleting them ?

As for the O.U, I will wait and see if we still need them (if no i will make sure they are empty) before proceeding with the removal.

So..bottom of the line is :

1. Unlink the GPOs and see if any issue occurs
2. If none, we can safely delete the GPOs
3. If everything is fine and they are empty, safely delete the O.U

Those 3 steps make sense right If I understood you guys correctly ?

Thanks
old-gpo-unlinked.jpg
0
 
LVL 8

Accepted Solution

by:
devinnoel earned 300 total points
ID: 35008950
So..bottom of the line is :

1. Unlink the GPOs and see if any issue occurs
2. If none, we can safely delete the GPOs
3. If everything is fine and they are empty, safely delete the O.U

Those 3 steps make sense right If I understood you guys correctly ?

Pretty much, should work fine. I tend to keep old GPO's around just in case I find out I really needed them later if it was a really complex GPO, but you can always rebuild them. Might not hurt to backup the GPO's (Right click on a GPO, select Backup, etc.) before you delete them, just in case.

If nothing is in an OU & there is no GPO applied it is safe to delete. OU's are pretty trivial to recreate if needed, so no real worries there. Even if a GPO is applied to an OU, you won't delete a GPO when you delete the OU, just the link. Be careful, if you delete an OU that has items in it (users, computers, sub-OU's) all objects in that OU will be deleted.

I have a couple small SBS domains in addition to the main domain I support that I'm finally consolidating & getting rid of. Despite the fact I never really used any of the SBS GPO's I never bothered deleting them just in case I needed them at some point & because they did no harm just sitting there unlinked.
0
 
LVL 2

Author Comment

by:Eric_Gennaoui
ID: 35009029
Ok thanks for confirming my thoughts. I will then leave those GPOs (since in your experience confirm they do not harm) as they are bu 'unlinked' only.

I will split the point between devinnole and ManicD, but giving more points to devinnoel since his answers were more thorough.

Best Regards
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question