Group Policy Order of Precedence FAQ

I’ve had a few queries from friends about group policy since my last post so I thought why not answer these queries here on my blog? And, yes, a few of them were about group precedences, hence this short FAQ.

What is the order of precedence in group policy?

I’ve prepared an illustration which I hope will help to understand the order of precedence for Group Policy.

gp order 2

While this illustration may be self-explanatory (at least I hope it is) there’s actually more to the story…

What is the order of precedence in an OU hierarchy?

Continue reading

Advertisements

Disabling the Windows 10 First Log-in Animation using Group Policy

If you’re not a fan of the first log-in animation on Windows 10 computers then you can disable this very easily using Group Policy. I decided to test this in my lab as I was curious to see what the first log-in experience would be like after having the animation disabled.

Here’s a quick rundown on how to do this:

  • Create/Open your GPO and browse to Computer Configuration > Policies > Administrative Templates > System > Logon
  • Double-click on Show first sign-in animation and select “Disabled”

image

If, like me, you’re curious what the first-login experience is like after disabling the animation then I’ve got a before and an after video below for you to check out. Continue reading

Installing the Windows 10 1511 Group Policy Administrative Templates

The administrative templates for Windows 10 15111 were released by Microsoft a couple of months ago but I only just got round to installing it on my lab domain. Here’s the procedure how to do this, if anybody wants to know.

1) To begin with, download the Windows 10 1511 administrative templates from Microsoft and run the installer on your domain controller

2) Make a note of the folder it’s being installed on. By default this is set to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Version 1511\

clip_image001

3) Browse to the folder you just installed the administrative templates on. Open the “Policy Definitions” folder.

4) Open a new Explorer window and browse to your domain’s Group Policy Central Store. You can do this from a Run command window – type in the path to your central store in the format of \\Domain.com\SYSVOL\Domain.com\Policies\PolicyDefinitions

5) Copy everything from the “Policy Definitions” folder you opened in step 4 and paste it into your Group Policy central store which you opened in step 5. If you have the Windows 10 RTM admin templates in the central store make sure you replace the files in the destination.

The updated admin templates also include the following brand new templates:

  • AppPrivacy.admx
  • CloudContent.admx
  • FeedbackNotifications.admx
  • WindowsStore.admx
  • WinMaps.admx

The FeedbackNotifications.admx template, for example, provides the following setting:

Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds > Do not show feedback notifications

clip_image003

Open a GPO and browse to the above setting to verify the new administrative templates have been installed successfully.

Adding Multiple Users to a Group in Active Directory Using PowerShell and CSV

Today I picked up a request from an owner of a shared drive asking for a list of her colleagues to be given access to the drive. This required finding the right group in Active Directory and making each person a member of the group.

With a total of 25 people in the list I knocked up a PowerShell script to make things a little easier for myself. The idea was to import a list of login id’s (samAccountNames) from a CSV file and add them to the required group programmatically.

I started with a simple CSV file in Excel as below:

csv-addmultipleusers

And the script itself is only a few lines of code:

# Import active directory module for running AD cmdlets
Import-module ActiveDirectory

#Store the data from UserList.csv in the $List variable
$List = Import-CSV .\UserList.csv

#Loop through user in the CSV
ForEach ($User in $List)
{

#Add the user to the TestGroup1 group in AD
Add-ADGroupMember -Identity TestGroup1 -Member $User.username
}

Continue reading

Delegating Control of an OU in Active Directory – Part 2

In part 1, we used the Delegation of Control Wizard to allow our helpdesk_team group to change the password for the “IT_Services” OU, shown here below.

1 it_services

We had a delegation scenario where we wanted our helpdesk_team to reset passwords for everyone in “IT_Services” except “Network_Admins”. Having delegated the permission to the “IT_Services” OU, however, means the permission will be inherited by the sub-OUs including “Network_Admins” which is not what we want, of course.

In this post we will set an Explicit Deny permission on the “Network_Admins” OU to prevent the helpdesk_team group from being able to change the password for users in this OU.

Right-click on the Network_Admins OU and select Properties

1 right click network admins

Continue reading

Delegating Control of an OU in Active Directory – Part 1

While there’s more than one way to delegate control of an Organisational Unit in Active Directory this post will be looking at the Delegation of Control Wizard for delegation purposes.

(Designing and implementing a strategy for the delegation of administration is not something to be taken lightly; it needs careful planning and consideration and is beyond the scope of this simple two part series aimed at beginners).

I’ll start off with a simple OU delegation scenario to be implemented and then follow it up with how to implement the delegation in Active Directory using the Delegation of Control Wizard. Our scenario also requires us to set an explicit deny permission but that’ll be covered in part 2.

An Example Delegation Scenario

Let’s say we have an IT Services OU in our structure with sub-OUs called Helpdesk, Technicians and Network Admins, as illustrated in the diagram below.

1 it_services

Continue reading

Importing Users into Active Directory from a CSV File Using PowerShell

There are two aspects to this post – first is the CSV file with the user data and then there’s the PowerShell script to import the data into Active Directory. As an example, this how-to post will only set the first name, last name, username and password values for our user objects.

Preparing the CSV file

A template of the CSV file with sample data can be downloaded here (save it with a .csv extension). Here’s what it looks like:

CSV template

Populate the CSV file with the user data, making sure you enter the Distinguished Name of the Organisational Unit in the OU field.

Follow these instructions to check the format of an OU’s distinguished name:

  • Launch the Active Directory Users and Computers console
  • Select Advanced Features from the View menu
  • Right click on an OU and select Properties
  • Look for distinguishedName in the Attribute Editor tab

Importing using PowerShell

The PowerShell script is my own work, written by myself. As always, I’ve included comments to explain the code to help understand it better.

Import AD Users Script

Download the PowerShell script and modify it to suit any changes you may have made to the CSV file and save it with a .ps1 extension.

Make sure you have the CSV file and the script in the same directory to begin with. To run the script simply right-click on it and select “Run with PowerShell”. Launch Active Directory Users and Computers console to check if the import was successful.

Follow Me, Myself and IT on Twitter: