How to remove created GPO from AD and from client Computers

Question

How to remove created GPO from AD and from client Computers

PerserPolis-1732 1,971

Hi,

I have created many GPOs( for example : local Admin right, RDP right) on my AD windows server 2019 and deploy it to many Clients.

Now I have to remove all these created GPOs from AD and from All Windows Client machines.

I want to remove these GPOs safely and without residue.

How can I do that efficiency?

With PW script or create a remove GPO?

Regards

2 answers

Your answer

Answer 1

Marten Theunissen 676

Hi,

I propose a 2 step task here.

Back up Group Policy Objects (GPOs) before deletion is a crucial step to ensure you can restore them if needed. Here are the steps to back up GPOs using both the Group Policy Management Console (GPMC) and PowerShell:

Using Group Policy Management Console (GPMC)

Open GPMC:

Open the Group Policy Management Console by typing gpmc.msc in the Run dialog (Win + R).

Navigate to Group Policy Objects:

In the left pane, expand your domain and navigate to "Group Policy Objects."

Backup All GPOs:

Right-click "Group Policy Objects" and select "Back Up All."

In the "Back Up Group Policy Object" dialog box, enter the path to the location where you want to store the GPO backups and enter a description.

Click "Back Up" to start the backup process1.

Using PowerShell

Open PowerShell:

Open PowerShell with administrative privileges.

Backup Specific GPO:

Use the following command to back up a specific GPO:

Backup-GPO -Name "GPOName" -Path "C:\GpoBackups" -Comment "Backup before deletion"

Backup All GPOs:

Use the following command to back up all GPOs in the domain:

Backup-GPO -All -Path "C:\GpoBackups"

PART 2

Removing and disabling all Group Policy Objects (GPOs) from a network can be done using the Group Policy Management Console (GPMC) or PowerShell. Here are the steps for both methods:

Using Group Policy Management Console (GPMC)

Open GPMC:

Open the Group Policy Management Console by typing gpmc.msc in the Run dialog (Win + R).

Navigate to Group Policy Objects:

In the left pane, expand your domain and navigate to "Group Policy Objects."

Select Multiple GPOs:

In the right pane, you can select multiple GPOs by holding down the Ctrl key and clicking on each GPO you want to delete.

Alternatively, you can select a range of GPOs by holding down the Shift key and clicking the first and last GPO in the range.

Delete Selected GPOs:

Right-click on the selected GPOs and choose "Delete."

Using PowerShell

Open PowerShell:

Open PowerShell with administrative privileges.

List All GPOs:

Use the following command to list all GPOs:

Get-GPO -All

Delete Specific GPOs:

Use the following command to delete specific GPOs by their names:

Remove-GPO -Name "GPOName1"

Remove-GPO -Name "GPOName2"

Delete Multiple GPOs in a Loop:

If you have a list of GPO names, you can delete them in a loop:

$gpoNames = @("GPOName1", "GPOName2", "GPOName3")

foreach ($gpoName in $gpoNames) {

Remove-GPO -Name $gpoName
```}

Disabling GPOs

Open GPMC:

Open the Group Policy Management Console by typing gpmc.msc in the Run dialog (Win + R).

Navigate to Group Policy Objects:

In the left pane, expand your domain and navigate to "Group Policy Objects."

Disable GPOs:

Right-click on the GPO you want to disable and select "GPO Status" > "All Settings Disabled."

PerserPolis-1732 1,971 Reputation points

2025-03-24T12:03:08.4666667+00:00

Hi,

first one:

I cannot select by holding down the Ctrl key and clicking on each GPO you want to delete.

two:

your steps means, I delete all the GPOs.

But on the Client machines remain intact.

For example:

I have created a group named "ADLOCALLY" and that group includes many users or client machines

for that Group I have created a GPO named "LOCAL".

On the Client machines (User and Groups-->Groups) are appearing "LOCAL"

Now if I delete the GPO "LOCAL", it will not remove automatically that GPO from client machines.

and do not delete the group named "ADLOCALLY" from AD
Marten Theunissen 676 Reputation points

2025-03-24T12:13:46.3566667+00:00

Great Question,

I would propose you do RSoP to confirm GPO settings.

Back up the GPO's

Disable each GPO one by one to control disruption by using RSoP reports to manage impact.

When GPO's are disabled/deleted all the configuration and automation they were responsible for in the domain is also removed and reversed. This will take a considerable amount of time to replicate and enforce to all clients and servers.

make and affect to understand what policies and configurations were enabled with the gpo's prior to disabling. If required NEEDED setting should be added to default domain policies.

https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/agpm/deleting-restoring-or-destroying-a-gpo-agpm40

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpod/86f82a09-5c0c-4240-a971-6317d556ab45

Effects of Deleting a GPO

Policy Removal:

The settings enforced by the GPO are no longer applied to the users or computers it targeted. This means any configurations, restrictions, or permissions set by the GPO will revert to their previous state or default settings1.

Tattooing:

Some settings may become "tattooed," meaning they remain in effect even after the GPO is deleted. This can happen with settings that directly modify system files or registry entries2.

Reversion to Previous State:

If a setting was manually configured before the GPO was applied, deleting the GPO will revert the setting to its previous state1.

Recycle Bin:

In environments using Advanced Group Policy Management (AGPM), deleted GPOs are moved to the Recycle Bin, allowing for restoration if needed3.

Considerations

Unlinking vs. Deleting:

It is often better to unlink a GPO from an Organizational Unit (OU) rather than deleting it. Unlinking stops the GPO from applying without permanently removing it, allowing for easier reversion if needed1.
PerserPolis-1732 1,971 Reputation points

2025-03-24T12:28:08.0333333+00:00

Hi,

Sorry, I am not sure, but I thing your method will be remain many GPOs on the client machines and all the groups or OUs I have created for GPOs, will not delete.

The groups and OUs I have created for my GPOs should be deleted before or after disabling or deleting the GPOs?

If you delete easy the GPO from AD, you see the client the following SIDs

It means, you have deleted easy the GPOs and you see on the client machine still these entries
Marten Theunissen 676 Reputation points

2025-03-24T12:38:59.2533333+00:00

Sure you will see SID's like these if they're unreferenced and also you replication is not working this could occur.

What is your objective by deleting and removing these GPO's and Groups? Why and what is the expectation for deleting them?

If you are just needing the guidance and steps, those are in the MS links above.
PerserPolis-1732 1,971 Reputation points

2025-03-24T13:33:22.89+00:00

These are all the old GPOs and we dont need these and we have ISO 27000 and we have to delete it

Answer 2

Hello PerserPolis-1732,

Thank you for posting in Q&A forum.

Here is some other information for your references.

1.Deleting or removing or disabling GPO objects via Group Policy Management will make the client machines do not apply the group policy settings (except security setting policies) within these GPO objects after the group policy refresh on client machines (For computer configuration, the group policy will refresh when you restart the machines. For user configuration, the group policy will refresh when you sign out and sign in the domain accounts. And the group policy will update automatically after by default 90-120 minutes in the backgroup), it will not remove the AD domain accounts or AD groups.

Background Refresh of Group Policy

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/Policy/background-refresh-of-group-policy

2.If you want to remove or delete AD domain accounts and AD groups. You can open Active Directory Users and Computers, and find the domain accounts and domain groups, then delete them.

Please note: Please back up the Domain Controllers using built-in Windows server backup tool one by one (if you do not have recent Domain Controller backups). Or if you have enabled Recycle Bin on domain controller, you can restore the deleted AD objects if you still want them.

Enable and use Active Directory Recycle Bin

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/active-directory-recycle-bin?tabs=adac

3.Security settings can persist even if a setting is no longer defined in the policy that originally applied it.

User's image

Security policy settings

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/security-policy-settings#persistence-of-security-settings-policy

4.You can also check the group policy result that applied on client machines by the steps below.

For checking Computer Configuration within gpresult, we can follow steps below.

Logon this machine using administrator account.

Open CMD (run as Administrator).

Type gpresult /h C:\gpo.html and click Enter.

Open gpo.html and check gpo setting under "Computer Details".

For checking User Configurations within gpresult, we can follow steps below.

Logon the machine using normal domain user account (that applies this gpo).

Create a folder named F1 in C drive.

Open CMD (do not run as Administrator).

Type gpresult /h C:\F1\gpo.html and click Enter.

Open gpo.html and check gpo settings under "User Details".

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Share via

How to remove created GPO from AD and from client Computers

2 answers

Your answer