View Blog

Feb 2023

Go and Get Rid of those Old Group Policies that are no Longer Used

Many people have a hard time parting with stuff. That’s why the self-storage industry is so successful regardless of the what the economy is doing. Just as a lot of the stuff contained in storage units will never be used again, there are probably some unused group policies that are still lingering on your servers taking up space and creating unnecessary clutter. A couple good examples are GPOs that have settings disabled or are no longer linked to anything.

You can disable/enable settings for any GPO in the Details tab in Group Policy Management Console. As shown below, you can disable computer configuration settings, user configuration settings, or all settings configured within the GPO.

Keep in mind that its best practice to only configure settings for one side or the other. A GPO that is configured on both sides should be split into two separate GPOs in the first place. Therefore, there’s no need to have one side disabled as shown below.

Disabling both sides of a GPO means that the GPO is essentially doing nothing. If these settings are no longer required, then they should be decommissioned entirely by deleting the GPO.

If you have a well-designed AD with a well-defined OU structure, you need only link your GPOs to an applicable OU and assign it to the Authenticated Users group. This makes security filtering easy and straight forward. Unlinking a GPO is the same as turning it off for a designated OU. A GPO that isn’t linked anywhere is probably one that is no longer needed such as the GPO shown in the screenshot below. In this case, this GPO could probably be decommissioned entirely.

There are some exceptions, however. For instance, you may use some GPOs for testing purposes that are only used for brief periods. You also may have some GPOs you only want turned on at various times of the year. An example might be a school system that enacts certain policies at the start or close of the school year only.

Remember that you must delete a GPO you must do so from the Group Policy Objects node where you can view all your GPOs in alphabetical order. Right clicking on a GPO link will only delete the link itself, not the GPO. Before you delete any GPO, make sure you have a backup of them just in case you find out down the road that you really do need that policy for something.


Comments (0)

No Comments!