• Removing Remote Installation Services User Settings from the Default Domain Policy

    July 19, 2018

    Active Directory

    For my employer, I do a LOT of Active Directory (AD) Health Checks. One of the things I look for are User Settings in the Default Domain Policy.

    Why? Because Microsoft says only four groups of settings should be configured in the Default Domain Policy. No User Settings are on that list. The User Settings I see in almost every Default Domain Policy are shown in Figure 1.

    Figure 1
    Figure 1

    No problem, right? Just edit the Default Domain Policy, go to User Configuration, Policies, Windows Settings, Remote Installation Services, as shown in Figure 2.

    Figure 2
    Figure 2

    Oh wait, there is no Remote Installation Services node available. How can it be removed if it doesn’t exist? How did those User Settings get in the Default Domain Policy? What is Remote Installation Services?

    Remote Installation Services (RIS) came with pre-SP2 versions of Windows Server 2003. RIS used PXE to allow the automated installation of Windows Server 2003. In SP2, RIS was replaced by Windows Deployment Services.

    How did those User Settings get in the Default Domain Policy? To find out, I created a new Windows Server 2003 R2 server and made it a domain controller for a new forest consisting of one domain. With no additional configuration, other than to install the Group Policy Management Console (GPMC), I edited the never touched by Webster’s hands Default Domain Policy. What I saw is shown in Figure 3.

    Figure 3
    Figure 3

    Well crap! I didn’t put those User Settings in my brand new Default Domain Policy, Microsoft did. The same Microsoft who says there should be no User Settings in the Default Domain Policy.

    Now, how do I remove those settings? They can’t be deleted using the GPMC.

    First, before any changes are made to any group policy, make a backup and create reports for the policies. You can use the Get GPO Backups and Reports PowerShell script to perform that task.

    We need to find the Default Domain Policy folders and files in the SYSVOL folder tree. All Group Policies are identified by a GUID. The Default Domain Policy’s GUID is the same for every domain in every AD Forest in the world. That GUID is {31B2F340-016D-11D2-945F-00C04FB984F9}.

    Since SYSVOL can be in a non-standard location, I do Start, Run, \\domain.tld as shown in Figure 4.

    Figure 4
    Figure 4

    Browse to \\domain.tld\SYSVOL\domain.tld\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Microsoft as shown in Figure 5.

    Figure 5
    Figure 5

    Delete the RemoteInstall folder, go back to the GPMC and refresh the Default Domain Policy. The Remote Installation Services User Settings are gone, as shown in Figure 6.

    Figure 6
    Figure 6

    If there are other User Settings in the Default Domain Policy, create a GPO and move those User Settings to the new GPO.

    I hope you find this useful.

    Thanks

    Webster

    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    No comments yet.

    Leave a Reply