Carl Webster Accessibility Statement

Carl Webster is committed to facilitating the accessibility and usability of its website, carlwebster.com, for everyone. Carl Webster aims to comply with all applicable standards, including the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 up to Level AA (WCAG 2.0 AA). Carl Webster is proud of the efforts that we have completed and that are in-progress to ensure that our website is accessible to everyone.

If you experience any difficulty in accessing any part of this website, please feel free to email us at info@carlwebster.com and we will work with you to provide the information or service you seek through an alternate communication method that is accessible for you consistent with applicable law (for example, through telephone support).

  • Removing Remote Installation Services User Settings from the Default Domain Policy

    July 19, 2018

    Active Directory

    I do a LOT of Active Directory (AD) Health Checks. One of the things I look for are User Settings in the Default Domain Policy.

    Why? Because Microsoft says only four groups of settings should be configured in the Default Domain Policy. No User Settings are on that list. The User Settings I see in almost every Default Domain Policy are shown in Figure 1.

    Figure 1
    Figure 1

    No problem, right? Just edit the Default Domain Policy, go to User Configuration, Policies, Windows Settings, Remote Installation Services, as shown in Figure 2.

    Figure 2
    Figure 2

    Oh wait, there is no Remote Installation Services node available. How can it be removed if it doesn’t exist? How did those User Settings get in the Default Domain Policy? What is Remote Installation Services?

    Remote Installation Services (RIS) came with pre-SP2 versions of Windows Server 2003. RIS used PXE to allow the automated installation of Windows Server 2003. In SP2, RIS was replaced by Windows Deployment Services.

    How did those User Settings get in the Default Domain Policy? To find out, I created a new Windows Server 2003 R2 server and made it a domain controller for a new forest consisting of one domain. With no additional configuration, other than to install the Group Policy Management Console (GPMC), I edited the never touched by Webster’s hands Default Domain Policy. What I saw is shown in Figure 3.

    Figure 3
    Figure 3

    Well crap! I didn’t put those User Settings in my brand new Default Domain Policy, Microsoft did. The same Microsoft who says there should be no User Settings in the Default Domain Policy.

    Now, how do I remove those settings? They can’t be deleted using the GPMC.

    First, before any changes are made to any group policy, make a backup and create reports for the policies. You can use the Get GPO Backups and Reports PowerShell script to perform that task.

    We need to find the Default Domain Policy folders and files in the SYSVOL folder tree. All Group Policies are identified by a GUID. The Default Domain Policy’s GUID is the same for every domain in every AD Forest in the world. That GUID is {31B2F340-016D-11D2-945F-00C04FB984F9}.

    Since SYSVOL can be in a non-standard location, I do Start, Run, \domain.tld as shown in Figure 4.

    Figure 4
    Figure 4

    Browse to \domain.tld\SYSVOL\domain.tld\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Microsoft as shown in Figure 5.

    Figure 5
    Figure 5

    Delete the RemoteInstall folder, go back to the GPMC, and refresh the Default Domain Policy. The Remote Installation Services User Settings are gone, as shown in Figure 6.

    Figure 6
    Figure 6

    If there are other User Settings in the Default Domain Policy, create a GPO and move those User Settings to the new GPO.

    I hope you find this useful.

    Thanks

    Webster







    About Carl Webster

    Carl Webster is an independent consultant specializing in Citrix, Active Directory, and technical documentation. Carl (aka “Webster”) serves the broader Citrix community by writing articles (see CarlWebster.com) and by being the most active person in the Citrix Zone on Experts Exchange. Webster has a long history in the IT industry beginning with mainframes in 1977, PCs and application development in 1986, and network engineering in 2001. He has worked with Citrix products since 1990 with the premiere of their first product – the MULTIUSER OS/2.

    View all posts by Carl Webster

    12 Responses to “Removing Remote Installation Services User Settings from the Default Domain Policy”

    1. Robert Oram Says:

      Hi,
      I tried this twenty times, in slightly different ways. It always says I don’t have permission, but I am logged in as a Domain Admin.

      Any ideas?

      Thanks,
      Bob

      Reply

      • Carl Webster Says:

        If you could email me screenshots of your process maybe I could help.

        Webster at CarlWebster dot com

        Thanks

        Webster

        Reply

    2. Lachlan Says:

      Hi Carl,
      actually ran into this one today doing a GP health check. Quality write-up, thanks.

      Reply

    3. James Says:

      I just wanted to say thank you. A clearly explained and effective solution to the issue. Nice work.

      Reply

    4. Someguy Says:

      Delete from C:\Windows\SYSVOL\sysvol\domain.tld\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Microsoft as trying to delete from the UNC path (\\server\…) will flag for the file in use and fail.

      Reply

    5. dnsss Says:

      Just wanted to recommend also disabling User Configuration entirely, as it’s not needed where no User settings are configured.

      Reply

    6. RNR1995 Says:

      Hello
      Just wanted to say thank you for this information
      I could not find the settings in GPMC
      My domain build is originally from 2000 right when AD came out
      Ran across this resetting my Default Domain Policy, thought it was odd as those settings are not in any of our other Domains
      thanks again
      Ron

      Reply

      • Carl Webster Says:

        I am glad you found the article helpful and glad you were able to clean something out of your Default Domain Policy.

        Webster

        Reply

    Leave a Reply