Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2003
    - Admin Tips
      - Active Directory
        Preventing Orphaned GPO’s

Section(s): Active Directory
Published on Jun 13, 2007.
Last Modified on Jun 13, 2007.
Last Modified by Chris Sanders.
Rated 3 out of 5 based on 1 votes.

When you remove a computer from a domain there are a few steps you should take to ensure that its GPO settings are removed properly as well.

There are various different reasons why you might want to remove a computer from a domain within your network. Regardless of the reason, you have to be careful that you take notice of group policy being applied to the computer in order to prevent “orphaned” GPO’s.

An orphaned GPO is the result of what happens when you remove a computer from a domain without removing its applied Group Policy Objects. In order to prevent this from happening, it is a good idea to first move the computer in Active Directory into an OU that has no GPO’s applied to it before removing it from the domain completely. It is also a good idea to make sure that this OU is blocking policy inheritance from OU’s above it. Doing this will completely ensure that you all group policy settings are removed from the computer in question.

***

Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. Chris's specialties include general network administration, windows server 2003, wireless networking, and security. You can view Chris' personal website at www.chrissanders.org.

About Chris Sanders

Chris Sanders is a network security analyst for EWA Government Systems Inc. Chris is the author of the book Practical Packet Analysis as well as several technical articles. His personal website at www.chrissanders.org contains a great deal of information, articles, and guides related to network administration, network security, packet analysis, and general information technology.