Delete unused "domain controllers Policy" Group Policy

Posted on 2015-01-03
Medium Priority
Last Modified: 2015-01-04
I'm migrating from an old Windows 2003 server to Windows 2012R2. I noticed errors on the domain controllers when i looked at event viewer.  It looks to be the Policies that were created when the domain was run on Window 2000 servers.  I'm assuming the previous admin never transferred over the policy. Its not listed in the SysVOL/domain.local/polices folder.  Since the policy is not being applied to any domain controllers since it can't be located, is it safe to delete without any issues?
feel like i'm answering my own question, but better safe than sorry.
Question by:AfternoonShift
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 100 total points
ID: 40530258
If you're referring to the "Default Domain Controllers Policy" GPO, that policy is a built-in policy - it can't be migrated or deleted.  When you migrate to a new version of server (or update the schema in some cases) the new schema will dictate what's in that policy.
LVL 22

Accepted Solution

dan_blagut earned 1000 total points
ID: 40530303

If you want that GPO can be restored by using dcgpofix command
Is better to have this built-in GPO empty than delete it and perturb the domain.
LVL 40

Assisted Solution

Mahesh earned 900 total points
ID: 40530342
If the policies are not listed under sysvol policies folder, probably they are orphaned policies

I believe these are not default domain policy OR default domain controller policy you are talking about, no need to delete these default policies.

U can download GPMC sample scripts and install it
Within that there is scripts folder and underneath that script to find orphaned GPOs
Run that script before deleting any outdated GPOs from AD

If you have 2008 R2 or above DC, you can run below PowerShell script to find out orphaned GPOs which you can safely remove

Author Comment

ID: 40530528
Thanks guys for the replies! The were all very helpful.

I ended up running the PS script on my 2012R2 DC and i saw it was listed as orphaned. It does match the one that was in my AD OU (Domain Controllers Folder).  Instead of removing it, i used the "DCGPOFix /ignoreschema /target:DC" command. I can now view the policy and it recreated the policy under the /sysvol/domain.local/policies folder.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question