Solved

Delete unused "domain controllers Policy" Group Policy

Posted on 2015-01-03
4
464 Views
Last Modified: 2015-01-04
I'm migrating from an old Windows 2003 server to Windows 2012R2. I noticed errors on the domain controllers when i looked at event viewer.  It looks to be the Policies that were created when the domain was run on Window 2000 servers.  I'm assuming the previous admin never transferred over the policy. Its not listed in the SysVOL/domain.local/polices folder.  Since the policy is not being applied to any domain controllers since it can't be located, is it safe to delete without any issues?
feel like i'm answering my own question, but better safe than sorry.
0
Comment
Question by:AfternoonShift
4 Comments
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 25 total points
ID: 40530258
If you're referring to the "Default Domain Controllers Policy" GPO, that policy is a built-in policy - it can't be migrated or deleted.  When you migrate to a new version of server (or update the schema in some cases) the new schema will dictate what's in that policy.
0
 
LVL 22

Accepted Solution

by:
dan_blagut earned 250 total points
ID: 40530303
Hello

If you want that GPO can be restored by using dcgpofix command
http://technet.microsoft.com/en-us/library/hh875588.aspx
Is better to have this built-in GPO empty than delete it and perturb the domain.
Dan
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 225 total points
ID: 40530342
If the policies are not listed under sysvol policies folder, probably they are orphaned policies

I believe these are not default domain policy OR default domain controller policy you are talking about, no need to delete these default policies.

U can download GPMC sample scripts and install it
Within that there is scripts folder and underneath that script to find orphaned GPOs
Run that script before deleting any outdated GPOs from AD
http://www.microsoft.com/download/en/confirmation.aspx?id=14536

If you have 2008 R2 or above DC, you can run below PowerShell script to find out orphaned GPOs which you can safely remove
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
0
 

Author Comment

by:AfternoonShift
ID: 40530528
Thanks guys for the replies! The were all very helpful.

I ended up running the PS script on my 2012R2 DC and i saw it was listed as orphaned. It does match the one that was in my AD OU (Domain Controllers Folder).  Instead of removing it, i used the "DCGPOFix /ignoreschema /target:DC" command. I can now view the policy and it recreated the policy under the /sysvol/domain.local/policies folder.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question