2.1.3.2.3 Deleting Group Policy Objects

To delete a GPO, it is necessary to delete all Active Directory objects associated with the GPO on the Group Policy server and to delete corresponding directories on the Group Policy file share that contain user and computer settings, to which the GPO links. To delete the Active Directory objects for a GPO, it is necessary to send an LDAP delRequest message, as described [MS-GPOL] section 2.2.8.5 and [RFC2251] section 4.8, from the Administrative tool to the Group Policy server.

The Group Policy server replies to the delRequest message with a delResponse message, as defined in [RFC2251] section 4.8. The value of the resultCode field in the delResponse message determines whether the delete operation succeeded or failed; success is indicated by a resultCode field value of zero, while all other values indicate failure.

A GPO is an Active Directory container; therefore, an LDAP delRequest message is first sent for all Active Directory objects contained in the GPO, and then an LDAP delRequest is sent recursively for each subcontainer and all Active Directory objects contained in the subcontainer. To begin the sequence, an LDAP SearchRequest ([RFC2251] section 4.5.1) containing the parameters specified in [MS-GPOL] section 3.3.5.6 is sent to the Group Policy server to retrieve the GPOs.

To delete Group Policy file share files and directories, it is necessary to recursively delete the files and directories in the <gpo path> via a file access protocol. All I/O operations that fail should be logged.

For further details about deleting GPOs, see [MS-GPOL] section 3.3.5.6.