GPO Deletion Issue

Hey Experts,

I have a group policy problem. Our setup is a single domain and there are two group policies that will not delete. They produce the same error: "The directory service can perform the requested operation only on a leaf object."

They are not tied to another domain, they have no child/dependent policies, they are not linked to any OUs, I've tried deleting with domain admin credentials (that's our highest permissions), I've tried powershell commands. I've read that it is possibly a corrupted GPO permission(s), but nothing has worked. Any ideas are helpful, thanks!
Capture.PNG
LVL 1
-Garren-Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
What i would try is open c:\windows\sysvol\sysvol\domain.com\policies

Find the Group Policy Guid that is giving you the issues. Check the Security Settings and make sure that everything is good from a security perspective.

Try Deleting the GPO from this directoy and if successful this will replicate to the other DC's and update the GPO's.

Make sure that you do the on the DC holding the PDC role.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
zalazarCommented:
Apart from deleting the GPO directory from the C:\Windows\SYSVOL\sysvol\domain.com\Policies as Will suggested you also have to delete the GUID object from AD to prevent an orphaned GPO.
You can do that by opening adsiedit.msc, and connect to the "Default naming context" and select the same domain controller as where you deleted the directory.
Then go to DC=domain,DC=com, System\Policies
Lookup the correct GUID and delete this object.
-Garren-Author Commented:
That worked, thanks!
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

zalazarCommented:
Good to hear that it's solved. You're welcome.
Will SzymkowskiSenior Solution ArchitectCommented:
What was the resolution? No Split points?

Will.
-Garren-Author Commented:
Hey Will,

I submitted the answer too quickly and immediately realized I had not given you split credit. As that's important to the community, I've submitted it to a moderator to be amended, unless there is a quicker way that you're aware of. Thank you again for your input! It is greatly appreciated.
zalazarCommented:
I can see why you ask for a split and it's fine with me but on the other hand your answer was not complete and if executed that way it would have left an orphaned gpo.
zalazarCommented:
Hi Garren, would it be possible to split as proposed.
Thank you very much in advance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.