Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Defunct SBS 2003 - What about the GPOs and O.U ?

Posted on 2011-03-01
5
Medium Priority
?
780 Views
Last Modified: 2012-05-11
Hi dear Experts,

A couple of time ago, we lost our SBS 2003 standard (Primary D.C, DNS and Exchange). We managed to restore the GPOS and transfer everything (roles etc) to a secondary D.C (having Server 2003 Standard only) that is acting as the primary D.C/DNS now.

I had to restore few GPO back then so Active Directory stops complaining but everything else seemed to be fine. Now when browsing the Group Policy Management, I do see those old 'SBS GPOs' (see attachment) but they do not seems to be in use anymore. Is it safe to delete them without harming my structure ? I do see old O.U too, are those safe to delete as well ?

We plan to introduce a Server 2008 R2 standard with Exchange 2010 in this topology in a near future so I was wondering if any of these could cause us problems.

Any help would be greatly appreciated

Best Regards  
old-sbs-gpo.jpg
0
Comment
Question by:Eric_Gennaoui
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 7

Assisted Solution

by:ManicD
ManicD earned 800 total points
ID: 35008336
According to that image those GPOs are LINKED and IN USE!!!

Do not delete them!!

First take the GPO links (the ones not in the GPO objects folder)

Delete the links, wait a week to see if anything changes.
If all is fine, delete the GPO's

As for the actual Organisational Units (AD folders), Thouroughly check that each is empty before deleting them.
Once you are sure they are empty, check again!!!

then remove them
0
 
LVL 8

Assisted Solution

by:devinnoel
devinnoel earned 1200 total points
ID: 35008446
Select a GPO in the Group Policy Management Console (where your screenshots were taken). The Scope tab should be the default tab open. If the top window that says "Links" doesn't have anything listed in it, that GPO isn't applied anywhere.

However from your screenshot most of the SBS GPO's are linked to the root entry of your domain:

Small Business Server Client Computer
Small Business Server Domain Password Policy
Small Business Server Internet Connection Firewall
Small Business Server Lockout Policy
Small Business Server Remote Assistance Policy

Small Business Server Windows Firewall (appears faded which means the link is disabled, so that one is not getting applied)

If you delete those GPO's applied to the root of your domain, the settings they enforce will stop being enforced.

The other non Small Bsiness Server GPO's don't appear to be applied anywhere that I can see. If they aren't, deleting them wouldn't cause problems. Then again, leaving them around not linked anywhere wouldn't cause any problems either & you could re-link them and/or update them to use again if you ever had the need.
0
 
LVL 2

Author Comment

by:Eric_Gennaoui
ID: 35008862
Thanks ManicD and devinnoel for your quick replies.

I unlinked all the Small Business* related GPO from the root of my domain (see 2nd attachment) and applied a 'gpupdate /force' and it seems that the GPOs were applied successfully....So I will let them be and see if any issues occurs before deleting them. Does the 'Group Policy Objects' (bottom part) would be remove when deleting them ?

As for the O.U, I will wait and see if we still need them (if no i will make sure they are empty) before proceeding with the removal.

So..bottom of the line is :

1. Unlink the GPOs and see if any issue occurs
2. If none, we can safely delete the GPOs
3. If everything is fine and they are empty, safely delete the O.U

Those 3 steps make sense right If I understood you guys correctly ?

Thanks
old-gpo-unlinked.jpg
0
 
LVL 8

Accepted Solution

by:
devinnoel earned 1200 total points
ID: 35008950
So..bottom of the line is :

1. Unlink the GPOs and see if any issue occurs
2. If none, we can safely delete the GPOs
3. If everything is fine and they are empty, safely delete the O.U

Those 3 steps make sense right If I understood you guys correctly ?

Pretty much, should work fine. I tend to keep old GPO's around just in case I find out I really needed them later if it was a really complex GPO, but you can always rebuild them. Might not hurt to backup the GPO's (Right click on a GPO, select Backup, etc.) before you delete them, just in case.

If nothing is in an OU & there is no GPO applied it is safe to delete. OU's are pretty trivial to recreate if needed, so no real worries there. Even if a GPO is applied to an OU, you won't delete a GPO when you delete the OU, just the link. Be careful, if you delete an OU that has items in it (users, computers, sub-OU's) all objects in that OU will be deleted.

I have a couple small SBS domains in addition to the main domain I support that I'm finally consolidating & getting rid of. Despite the fact I never really used any of the SBS GPO's I never bothered deleting them just in case I needed them at some point & because they did no harm just sitting there unlinked.
0
 
LVL 2

Author Comment

by:Eric_Gennaoui
ID: 35009029
Ok thanks for confirming my thoughts. I will then leave those GPOs (since in your experience confirm they do not harm) as they are bu 'unlinked' only.

I will split the point between devinnole and ManicD, but giving more points to devinnoel since his answers were more thorough.

Best Regards
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question