none
Group Policy Cleanup

    Question

  • I just started at a new company and am trying to straighten out GP issues. There are a number of objects under our domain that have no attached group policy objects. For example, there is one OU in AD where user accounts were created or moved to. That OU shows up in Group Policy Management under our domain, but nothing appears in the "Linked Group Policy Objects" tab. I'm assuming that someone linked a policy to it at one time and then later deleted it leaving the object in GPM

    I assume that this means there is no need for the object in GPM and it can be safely deleted with no impact. Is that a safe assumption?

    Wednesday, August 19, 2015 9:03 PM

Answers

  • Not a safe assumption!

    GPMC shows you the OUs etc contained within ADDS. This is a view into the structure of your AD, and is the same as viewing in ADUC/ADAC (or any other tool).

    If you see an OU in GPMC, that is a view of exactly the same OU object in ADUC - just that GPMC shows you attributes and properties only relating to GP.

    If you were to delete that OU in GPMC (which I've never tried to do, myself), this would delete the OU from your AD, therefore also deleting that OU from the ADUC view.

    An OU does not *have* to be linked/scoped to a GPO. An OU may be inheriting GP-Link from higher-up in the structure, an example of that, is the DDP, which is typically inherited by all OUs in a directory.

    In GPMC, ensure that you check for "Linked" GPO and also inherited GPO, on any given OU, to see the full picture.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, August 19, 2015 9:26 PM

All replies

  • Not a safe assumption!

    GPMC shows you the OUs etc contained within ADDS. This is a view into the structure of your AD, and is the same as viewing in ADUC/ADAC (or any other tool).

    If you see an OU in GPMC, that is a view of exactly the same OU object in ADUC - just that GPMC shows you attributes and properties only relating to GP.

    If you were to delete that OU in GPMC (which I've never tried to do, myself), this would delete the OU from your AD, therefore also deleting that OU from the ADUC view.

    An OU does not *have* to be linked/scoped to a GPO. An OU may be inheriting GP-Link from higher-up in the structure, an example of that, is the DDP, which is typically inherited by all OUs in a directory.

    In GPMC, ensure that you check for "Linked" GPO and also inherited GPO, on any given OU, to see the full picture.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, August 19, 2015 9:26 PM
  • Thanks for the very quick response! I can't figure out why the related OU was ever created since it has no linked GPs and doesn't seem to serve any purpose other than mentally segmenting a group of users. I hate inheriting someone else's AD structure with no documentation!
    Wednesday, August 19, 2015 9:34 PM
  • OU's aren't created just for GPO's, it might be just like you're assuming, the OU you're referring to serves another purpose than GPO deployment.
    Thursday, August 20, 2015 3:48 AM