Clean Abandoned GPOs

GPO settings can be abandoned by their creators, leading to settings within a GPO being configured but no longer described or functional. You’ll know this has occurred to one of your GPOs when you seeing the following error:

This article will walk you through clearing out these now abandoned and no longer used GPO settings.

Information Collection

The first steps is to collect a few pieces of information on the GPO settings which need to be removed.

1. Open Group Policy Management and browse to the GPO that has the undefined GPO setting.
2. Select the Settings tab within the GPO and browse to the Extra Registry Settings section.
3. Take note of two items:
   • Each line under Setting.
   • Whether the undefined GPO setting is within Computer Configuration or User Configuration.

Using the example above, I would document the following as:

GPO:
Computer Configuration

Settings:
Software\Policies\Microsoft\TPM\ActiveDirectoryBackup
Software\Policies\Microsoft\TPM\RequireActiveDirectoryBackup

Pulling our Command Together

Next, take each undefined setting and add the following at the beginning of the line:

• HKCU if its a User Configuration GPO setting.
• HKLM if its a Computer Configuration GPO setting.

For example:

HKLM\Software\Policies\Microsoft\TPM\ActiveDirectoryBackup
HKLM\Software\Policies\Microsoft\TPM\RequireActiveDirectoryBackup

Lastly, split the undefined setting into its key/value pair.

-Key HKLM\Software\Policies\Microsoft\TPM\ -ValueName ActiveDirectoryBackup
-Key HKLM\Software\Policies\Microsoft\TPM\ -ValueName RequireActiveDirectoryBackup

Removing the Setting(s)

Now, we can build the command that will be used to remove the undefined GPO setting.

Remove-GPRegistryValue -Name "GPO Name" -Key HKLM\Software\Policies\Microsoft\TPM -ValueName "ActiveDirectoryBackup"

If you’d like to remove all values under a Key, you can do so by omitting the -ValueName option.

Remove-GPRegistryValue -Name "GPO Name" - Key HKLM\Software\Policies\Microsoft\TPM