Group Ploicy Tidy Up

[Stephen3rd]

Folks,

Over the past 6 years or so the number of GPO's within my domain has grown
to quite a number. Now the majority of these are now defunct and obselete.

What is the recommended method to strip GP back to its bare bones?

Can i just delete the GPO's themselves or do i have to reset all setings
within each GPO and let them take effect?

 

[Florian Frommherz [MVP]]

Howdie!

Over the past 6 years or so the number of GPO's within my domain has grown
to quite a number. Now the majority of these are now defunct and obselete.

What is the recommended method to strip GP back to its bare bones?

I've seen a few approaches but most of them come down to the basic steps
that you surely thought about yourself:

- document all policies in place
- get an overview of what policy are still needed and where redundancy
is in place (multiple policies linked to OUs, subOUs, ... that all
implement the same)
- check what policies you need to have in place and create a new
structure that reflects your needs in combination with the policies
already in place.

RSOP.MSC can be of great help here. Depending on how large your AD and
the GP usage is, I'd go OU-tree for OU-tree and see how you can
"enlighten" the GPs to get your things sorted.

Can i just delete the GPO's themselves or do i have to reset all setings
within each GPO and let them take effect?

Just deleting the policies is dangerous as not all policies are
automatically reverted to the "standard" behavior. Things that are not
set back are some/most of the custom ADM templates that you imported and
applied, Security Settings and customization of Windows Services, NTFS
permissions and Software Installation.

cheers,

Florian