-
Removing Remote Installation Services User Settings from the Default Domain Policy
July 19, 2018
I do a LOT of Active Directory (AD) Health Checks. One of the things I look for are User Settings in the Default Domain Policy.
Why? Because Microsoft says only four groups of settings should be configured in the Default Domain Policy. No User Settings are on that list. The User Settings I see in almost every Default Domain Policy are shown in Figure 1.
No problem, right? Just edit the Default Domain Policy, go to User Configuration, Policies, Windows Settings, Remote Installation Services, as shown in Figure 2.
Oh wait, there is no Remote Installation Services node available. How can it be removed if it doesn’t exist? How did those User Settings get in the Default Domain Policy? What is Remote Installation Services?
Remote Installation Services (RIS) came with pre-SP2 versions of Windows Server 2003. RIS used PXE to allow the automated installation of Windows Server 2003. In SP2, RIS was replaced by Windows Deployment Services.
How did those User Settings get in the Default Domain Policy? To find out, I created a new Windows Server 2003 R2 server and made it a domain controller for a new forest consisting of one domain. With no additional configuration, other than to install the Group Policy Management Console (GPMC), I edited the never touched by Webster’s hands Default Domain Policy. What I saw is shown in Figure 3.
Well crap! I didn’t put those User Settings in my brand new Default Domain Policy, Microsoft did. The same Microsoft who says there should be no User Settings in the Default Domain Policy.
Now, how do I remove those settings? They can’t be deleted using the GPMC.
First, before any changes are made to any group policy, make a backup and create reports for the policies. You can use the Get GPO Backups and Reports PowerShell script to perform that task.
We need to find the Default Domain Policy folders and files in the SYSVOL folder tree. All Group Policies are identified by a GUID. The Default Domain Policy’s GUID is the same for every domain in every AD Forest in the world. That GUID is {31B2F340-016D-11D2-945F-00C04FB984F9}.
Since SYSVOL can be in a non-standard location, I do Start, Run, \domain.tld as shown in Figure 4.
Browse to \domain.tld\SYSVOL\domain.tld\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Microsoft as shown in Figure 5.
Delete the RemoteInstall folder, go back to the GPMC, and refresh the Default Domain Policy. The Remote Installation Services User Settings are gone, as shown in Figure 6.
If there are other User Settings in the Default Domain Policy, create a GPO and move those User Settings to the new GPO.
I hope you find this useful.
Thanks
Webster
10 Responses to “Removing Remote Installation Services User Settings from the Default Domain Policy”
Leave a Reply
December 7, 2023 at 8:47 pm
Hi Carl,
actually ran into this one today doing a GP health check. Quality write-up, thanks.
October 3, 2023 at 7:32 am
I just wanted to say thank you. A clearly explained and effective solution to the issue. Nice work.
March 1, 2022 at 10:51 pm
Delete from C:\Windows\SYSVOL\sysvol\domain.tld\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Microsoft as trying to delete from the UNC path (\\server\…) will flag for the file in use and fail.
March 2, 2022 at 5:58 am
That is why I don’t tell you to delete the folder that way.
Webster
September 2, 2021 at 2:19 am
Just wanted to recommend also disabling User Configuration entirely, as it’s not needed where no User settings are configured.
September 2, 2021 at 7:00 am
I disagree. DOing that can hinder troubleshooting and does nothing to improve performance.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/does-disabling-user-computer-gpo-settings-make-processing/ba-p/570719
Thanks
Webster
September 10, 2021 at 4:32 am
Interesting. How would disabling something that is not in use hinder troubleshooting?
Thanks
September 10, 2021 at 7:11 am
I don’t believe I used the word “troubleshooting” in the article. I pointed out that Microsoft says you should have no user settings in the Default Domain Policy. But back in the early Server 2003 days, Microsoft themselves put user settings in that GPO. How do you delete the settings once you no longer have a Server 2003 domain controller (which you should have none of those in 2021)? My article showed you how.
Thanks
Webster
May 12, 2021 at 9:36 am
Hello
Just wanted to say thank you for this information
I could not find the settings in GPMC
My domain build is originally from 2000 right when AD came out
Ran across this resetting my Default Domain Policy, thought it was odd as those settings are not in any of our other Domains
thanks again
Ron
May 12, 2021 at 9:40 am
I am glad you found the article helpful and glad you were able to clean something out of your Default Domain Policy.
Webster