3.3.5.6 GPO Deletion

  • Article

Deletion of the abstract element Administered GPO requires the deletion of its Active Directory object on the Group Policy server and a corresponding directory on the Group Policy server's SYSVOL share. The deletion of the Active Directory portion of the GPO MUST be accomplished through an LDAP delRequest message as defined in section 2.2.8.5 from the client to the server.

The result of delRequest is a delResponse message in reply, as defined in [RFC2251] section 4.8. The resultCode value determines a failure or success for the message. Success is indicated when the value of the delResponse message's resultCode is 0. Any other resultCode value indicates a failure.

Recursively delete the files under {GPO path} on the file system. Any remote file I/O operations that fail are to be logged.

  1. Open directory file at <GPO path>

  2. Enumerate contents of current directory

  3. For each directory entry

    • If entry is a directory file

      • Repeat steps 2 and 3, enumerating contents of subdirectory

      • Delete directory file

    • Else

      • Delete file

  4. Delete directory file at <GPO path>

A GPO is an Active Directory container so an LDAP delRequest message MUST be sent for all Active Directory objects contained in the GPO and recursively for each subcontainer and all Active Directory objects contained in the subcontainer before it is sent for the GPO. Starting at the GPO, an LDAP SearchRequest MUST be sent to the Group Policy server with the following parameters:

Parameter

Value

baseObject

LDAP DN for the current container (starting with the GPO DN).

Scope

MUST be set to 1. Search all entries in the first level below the baseObject excluding the baseObject.

derefAliases

MUST be set to 0 (neverDerefAliases).

sizeLimit

No limit is set (this MUST be set to 0).

timeLimit

MAY be 0 (infinite).

typesOnly

MUST be set to 0 (FALSE).

Filter

The following LDAP filter (using the representation as specified in [RFC2254]) MUST be used:

(objectClass=*)

attributes

objectClass

For each returned object, if the objectClass attribute is equal to "container", the object DN MUST be used as the baseObject for an LDAP SearchRequest recursively until the GPO contains no objects. If the objectClass attribute is not equal to "container", an LDAP delRequest message MUST be sent for the object. The final LDAP delRequest message MUST be for the GPO DN. If the resultCode value of a delResponse message is nonzero, the error condition is logged.

The following steps make up the remainder of GPO Deletion:

  1. A domain SOM search as defined in section 2.2.2 except for these fields:

    Parameter

    Value

    baseObject

    LDAP DN for the root of the domain.

    Scope

    MUST be the whole subtree (2).

    Filter

    The following LDAP filter (using the representation as specified in [RFC2254]) MUST be used:

    (&(|(objectcategory=domaindns)(objectcategory=organizationalUnit))(gplink=*))

  2. A site search as defined in the first part of section 2.2.3 that retrieves the configurationNamingContext. The second search is identical except for these fields:

    Parameter

    Value

    baseObject

    cn=Sites,<LDAP DN for the configurationNamingContext of the domain.>

    Scope

    MUST be the whole subtree (2).

    Filter

    The following LDAP filter (using the representation as specified in [RFC2254]) MUST be used:

    (objectCategory=site)

  3. For each SOM object returned in Step 1, a SOM property update message for attribute gPLink removing the GPO DN from the list of linked GPO objects.

  4. For each Site object returned in Step 2, a SOM property update message for attribute gPLink removing the GPO DN from the list of linked GPO objects.