3.3.5.6 GPO Deletion
Deletion of the abstract element Administered GPO requires the deletion of its Active Directory object on the Group Policy server and a corresponding directory on the Group Policy server's SYSVOL share. The deletion of the Active Directory portion of the GPO MUST be accomplished through an LDAP delRequest message as defined in section 2.2.8.5 from the client to the server.
The result of delRequest is a delResponse message in reply, as defined in [RFC2251] section 4.8. The resultCode value determines a failure or success for the message. Success is indicated when the value of the delResponse message's resultCode is 0. Any other resultCode value indicates a failure.
Recursively delete the files under {GPO path} on the file system. Any remote file I/O operations that fail are to be logged.
Open directory file at <GPO path>
Enumerate contents of current directory
For each directory entry
If entry is a directory file
Repeat steps 2 and 3, enumerating contents of subdirectory
Delete directory file
Else
Delete file
Delete directory file at <GPO path>
A GPO is an Active Directory container so an LDAP delRequest message MUST be sent for all Active Directory objects contained in the GPO and recursively for each subcontainer and all Active Directory objects contained in the subcontainer before it is sent for the GPO. Starting at the GPO, an LDAP SearchRequest MUST be sent to the Group Policy server with the following parameters:
|
Parameter |
Value |
|---|---|
|
baseObject |
LDAP DN for the current container (starting with the GPO DN). |
|
Scope |
MUST be set to 1. Search all entries in the first level below the baseObject excluding the baseObject. |
|
derefAliases |
MUST be set to 0 (neverDerefAliases). |
|
sizeLimit |
No limit is set (this MUST be set to 0). |
|
timeLimit |
MAY be 0 (infinite). |
|
typesOnly |
MUST be set to 0 (FALSE). |
|
Filter |
The following LDAP filter (using the representation as specified in [RFC2254]) MUST be used: (objectClass=*) |
|
attributes |
objectClass |
For each returned object, if the objectClass attribute is equal to "container", the object DN MUST be used as the baseObject for an LDAP SearchRequest recursively until the GPO contains no objects. If the objectClass attribute is not equal to "container", an LDAP delRequest message MUST be sent for the object. The final LDAP delRequest message MUST be for the GPO DN. If the resultCode value of a delResponse message is nonzero, the error condition is logged.
The following steps make up the remainder of GPO Deletion:
A domain SOM search as defined in section 2.2.2 except for these fields:
Parameter
Value
baseObject
LDAP DN for the root of the domain.
Scope
MUST be the whole subtree (2).
Filter
The following LDAP filter (using the representation as specified in [RFC2254]) MUST be used:
(&(|(objectcategory=domaindns)(objectcategory=organizationalUnit))(gplink=*))
A site search as defined in the first part of section 2.2.3 that retrieves the configurationNamingContext. The second search is identical except for these fields:
Parameter
Value
baseObject
cn=Sites,<LDAP DN for the configurationNamingContext of the domain.>
Scope
MUST be the whole subtree (2).
Filter
The following LDAP filter (using the representation as specified in [RFC2254]) MUST be used:
(objectCategory=site)
For each SOM object returned in Step 1, a SOM property update message for attribute gPLink removing the GPO DN from the list of linked GPO objects.
For each Site object returned in Step 2, a SOM property update message for attribute gPLink removing the GPO DN from the list of linked GPO objects.