GPO Cleanup: The Definitive Guide

by Robert Allen

This is a step by step guide to cleaning up group policy. In this guide, I’ll show you how to review your GPOs to determine if they can be deleted or not.

GPO Cleanup Steps:

Note: In this guide, I’ll be using the group policy reports from the AD Pro Toolkit. This tool makes it very easy to generate a report on all GPO and settings. You can also use PowerShell and the group policy management console to create a report but will take additional steps.

Step 1. Create a Spreadsheet

Yuck, not another spreadsheet. I know but it’s a simple spreadsheet to help you easily identify GPOs that can potentially be removed.

If you are not using the AD Pro Toolkit you can manually create a spreadsheet with these headings:

  • GPO Name
  • Location
  • Status
  • UserVersion
  • computerVersion
  • WMI Filter
  • Security Filtering

Using the toolkit select Reports -> All GPOs and click run. Next click Export to CSV.

In the list of reports select All GPOs and click run, then export to CSV.

all gpo report

This will create a spreadsheet of all your GPOs and several settings that we will use for the cleanup process.

gpo report excel

Step 2. Backup GPOs

Before you make any changes to your GPOs you should back them up.

You need to be able to restore a GPO as quickly as possible in case something breaks after the cleanup process. Refer to the backup gpo guide for steps.

Step 3. How to Find Disabled GPOs (AllsettingsDisabled)

Disabled GPOs are ones that have their status set to “All settings disabled”. This means the GPOs are doing nothing. Even if the GPO is linked to the site or an OU the GPO is not applying any settings.

In the spreadsheet, I’m going to highlight any GPOs with orange that have the status set to “AllSettingsDisabled”. I’ll highlight the settings in yellow so I can easily see why the GPO is marked.

disabled gpos

You can see above I have two GPOs “PSRemoting” and “FIPS” that are disabled.

Alternatively, you can list all disabled GPOs by running the “All settings disabled GPOs” report.

In the group policy management console (GPMC) you will need to open each GPO, click on details and look for the GPO status.

Step 4. How to Find Unlinked GPOs

Unlinked GPOs are not linked to the site, domain, or OU. It’s a GPO that would currently not be in use. It’s possible an administrator created the GPO but never linked it or used it and then deleted the link. Whatever the case unlinked GPOs are currently not in use.

In the spreadsheet, unlinked GPOs have the location field blank.

unlinked gpos

You can see above that I have several unlinked GPOs.

To find unlinked GPOs in the GPMC console you would need to click on each GPO and look at the location box.

Alternatively, use the toolkit -> ALL GPOs report and review the ones that have nothing in the Location column. With the AD Pro Toolkit, I can also just filter the location column to display only the GPOs that have the location blank.

Step 5. How to Find Empty GPOs

Empty GPOs are group policy objects that have no policy settings. Each time a GPO is modified the userVersion or ComputerVersion is incremented. If you create a new GPO and do not modify any settings the version will be 0. You want find all GPOs that have both the userVersion and ComputerVersion set to 0.

In the spreadsheet, I’ve found three GPOs that are empty.

empty gpos

In the GPMC console, you would need to open each GPO and click on the details tab to see the user and computer version.

Step 6. Check GPO WMI Filter

Next, review any GPO that is using a WMI filter. A GPO WMI filter is used to target specific devices for example you want to apply a GPO only to computers running Windows 10.

You may have some GPOs that use a WMI filter that i no longer needed. For example, this filter only targets Windows 10 computers that are 32 bit.

gpo wmi filter

I don’t have any 32bit systems in my network so this GPO is not being used. I’ll highlight this on the spreadsheet. For any GPO that has a wmi filter, you will need to review the WMI query. to determine if it is still valid.

In the GPMC you can see which GPOs have a WMI filter set by clicking on “Group Policy Objects”.

Step 7. Review GPO Security Filtering

The last GPO settings to review are GPOs that have security filtering configured. By default, GPOs can be processed by the Authenticated users group. If someone has added a group or user to the security filtering then this will limit the scope of the GPO.

For example, I have two GPOs that have something other than “Authenticated Users”. I’ll mark these on the spreadsheet and review them.

gpo security filtering

In the above example, the group “gpo_apply_block_control_panel” is configured but when I review the group it has no members. Looking at GPO’s delegation permissions, authenticated users do not have “Apply group policy” checked. This means only members of the “gpo_apply_block_control_pane” group can process the GPO. But because the group has no members the GPO is not being used.

Step 8. Review and Cleanup GPOs

Important: Don’t forget to backup your GPOs before deleting them.

If you completed all the above steps you should now have a spreadsheet like below with a list of GPOs that can potentially be deleted. The next step is to review the spreadsheet with your team and then get approval to remove them.

To recap here is what you should review for each GPO:

  • Location = blank – These are GPOs that are not in use because they are not linked to any domain objects.
  • Status = AllSettingsDisabled – These are GPOs that have the user and computer configuration disabled so no policy settings would apply.
  • userVersion and computerVersion = 0 – These are empty GPOs. Someone created a GPO but did not configure any settings.
  • Review WMI Filter – Check for GPOs that have a WMI filter configured. WMI filter limits which devices can apply the GPO.
  • Security Filtering – Security filtering can limit which users or computers can process a GPO. It’s very easy to modify this and prevent a GPO from working.

Summary

Cleaning up group policy is not a simple process. It takes multiple steps to review each GPO and determine if they are still valid. The AD Pro Toolkit helps with the cleanup process by creating a simple report of all your GPOs and status settings. If you are not using the toolkit you can still use PowerShell or the GPMC to manually review each GPO. It will take more steps but it still works.

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

2 thoughts on “GPO Cleanup: The Definitive Guide”

Leave a Comment