Group Policy Preferences Create Replace Update Delete (CRUD)

**CRUD** in [[Group Policy]] refers to the essential operations of **Create, Read, Update, and Delete** for managing [[Group Policy Object (GPO)]]. These actions enable administrators to configure, view, modify, and remove policies that control settings and security across an [[Windows Active Directory (AD)|Active Directory]] environment. # Create You will notice this option comes with a **green icon**. Green is Good! Right? Green actually indicates that this action is very low impact and low risk–it’s a “safe” move. E.g. If this mapping or connection does not exist, then create it. Otherwise, if it _does_ exist, then do nothing. But if you’re trying to use this during a migration, you might not get the result you want. You might not get your objects to show up, or you could get duplicate objects, depending on the situation. It’s great if you’re deploying brand new objects that have never been in the environment before, but as we will see, _Update_ has the same net result in that case, _and_ it allows you to perform updates to the same object later on. So I almost never use this _Create_ option in practice. # Replace Unlike it’s friendlier cousin (above), _Replace_ has an angry **red icon** and will not only create new objects, but destroy old ones, too. No matter what, you are getting this new object. If using this during migrations, for example when shared folders and mapped network drives are moving from an older file server to a newer one, then be sure to switch it to Update after you are done migrating (so that you don’t have the GPO deleting and recreating this object periodically later down the road). Note: if you go to the common tab and choose the option to “**Remove this item when it is no longer applied**” then the action will automatically be changed to _Replace_. # Update A **yellow icon**, as in: Warning! You _might_ overwrite something. You can update the object with new settings, or create the object if it doesn’t exist. However, you should note: it does not remove or destroy any objects. The example I like to use here is that if I try to _Update_ an existing printer connection to refer to a new server path like changing \\srv-oldprinters\printer to \\srv-newprinters\printer–the result is that I get a new printer (like I wanted) but I keep the old one too (which I didn’t want). I would have had to add a delete option for the old path, since _Update_ cannot delete anything, like _Replace_ can. Remember: **If there is no existing object to update, then create the object–but don’t delete any objects, just update them.** Because of this behavior, I usually choose this action whenever I’m deploying brand new objects, and just update it later on whenever something minor changes with it. For major changes like migrations to new servers, I would use _Replace_, since update is much weaker (albeit not as weak as Create). Just be aware that if you use _Update_ in migration scenarios, you may not get the results you want, similar to _Create_. # Delete This is exactly what it sounds like: delete the object. Just get rid of it. That’s why this item gets a **red x**. Appropriate for use when a share or printer has been permanently removed. Oddly enough, and especially with printer connections, I have found that this may not always be effective–especially if the object was put into place by something other than Group Policy preferences, so I often create a logon script to blow those items away anyhow, just as extra protection. If the policy works and the logon script is redundant, still no harm in covering your bases. # Sources [CRUD: When to use Create, Replace, Update or Delete in Group Policy Preferences? - ITProMentor](https://www.itpromentor.com/gp-crud/)