Group Policy Order of Precedence FAQ

I’ve had a few queries from friends about group policy since my last post so I thought why not answer these queries here on my blog? And, yes, a few of them were about group precedences, hence this short FAQ.

What is the order of precedence in group policy?

I’ve prepared an illustration which I hope will help to understand the order of precedence for Group Policy.

gp order 2

While this illustration may be self-explanatory (at least I hope it is) there’s actually more to the story…

What is the order of precedence in an OU hierarchy?

Continue reading


Disabling the Windows 10 First Log-in Animation using Group Policy

If you’re not a fan of the first log-in animation on Windows 10 computers then you can disable this very easily using Group Policy. I decided to test this in my lab as I was curious to see what the first log-in experience would be like after having the animation disabled.

Here’s a quick rundown on how to do this:

  • Create/Open your GPO and browse to Computer Configuration > Policies > Administrative Templates > System > Logon
  • Double-click on Show first sign-in animation and select “Disabled”


If, like me, you’re curious what the first-login experience is like after disabling the animation then I’ve got a before and an after video below for you to check out. Continue reading

Installing the Windows 10 1511 Group Policy Administrative Templates

The administrative templates for Windows 10 15111 were released by Microsoft a couple of months ago but I only just got round to installing it on my lab domain. Here’s the procedure how to do this, if anybody wants to know.

1) To begin with, download the Windows 10 1511 administrative templates from Microsoft and run the installer on your domain controller

2) Make a note of the folder it’s being installed on. By default this is set to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Version 1511\


3) Browse to the folder you just installed the administrative templates on. Open the “Policy Definitions” folder.

4) Open a new Explorer window and browse to your domain’s Group Policy Central Store. You can do this from a Run command window – type in the path to your central store in the format of \\\SYSVOL\\Policies\PolicyDefinitions

5) Copy everything from the “Policy Definitions” folder you opened in step 4 and paste it into your Group Policy central store which you opened in step 5. If you have the Windows 10 RTM admin templates in the central store make sure you replace the files in the destination.

The updated admin templates also include the following brand new templates:

  • AppPrivacy.admx
  • CloudContent.admx
  • FeedbackNotifications.admx
  • WindowsStore.admx
  • WinMaps.admx

The FeedbackNotifications.admx template, for example, provides the following setting:

Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds > Do not show feedback notifications


Open a GPO and browse to the above setting to verify the new administrative templates have been installed successfully.

Adding Multiple Users to a Group in Active Directory Using PowerShell and CSV

Today I picked up a request from an owner of a shared drive asking for a list of her colleagues to be given access to the drive. This required finding the right group in Active Directory and making each person a member of the group.

With a total of 25 people in the list I knocked up a PowerShell script to make things a little easier for myself. The idea was to import a list of login id’s (samAccountNames) from a CSV file and add them to the required group programmatically.

I started with a simple CSV file in Excel as below:


And the script itself is only a few lines of code:

# Import active directory module for running AD cmdlets
Import-module ActiveDirectory

#Store the data from UserList.csv in the $List variable
$List = Import-CSV .\UserList.csv

#Loop through user in the CSV
ForEach ($User in $List)

#Add the user to the TestGroup1 group in AD
Add-ADGroupMember -Identity TestGroup1 -Member $User.username

Continue reading

Delegating Control of an OU in Active Directory – Part 2

In part 1, we used the Delegation of Control Wizard to allow our helpdesk_team group to change the password for the “IT_Services” OU, shown here below.

1 it_services

We had a delegation scenario where we wanted our helpdesk_team to reset passwords for everyone in “IT_Services” except “Network_Admins”. Having delegated the permission to the “IT_Services” OU, however, means the permission will be inherited by the sub-OUs including “Network_Admins” which is not what we want, of course.

In this post we will set an Explicit Deny permission on the “Network_Admins” OU to prevent the helpdesk_team group from being able to change the password for users in this OU.

Right-click on the Network_Admins OU and select Properties

1 right click network admins

Continue reading

Delegating Control of an OU in Active Directory – Part 1

While there’s more than one way to delegate control of an Organisational Unit in Active Directory this post will be looking at the Delegation of Control Wizard for delegation purposes.

(Designing and implementing a strategy for the delegation of administration is not something to be taken lightly; it needs careful planning and consideration and is beyond the scope of this simple two part series aimed at beginners).

I’ll start off with a simple OU delegation scenario to be implemented and then follow it up with how to implement the delegation in Active Directory using the Delegation of Control Wizard. Our scenario also requires us to set an explicit deny permission but that’ll be covered in part 2.

An Example Delegation Scenario

Let’s say we have an IT Services OU in our structure with sub-OUs called Helpdesk, Technicians and Network Admins, as illustrated in the diagram below.

1 it_services

Continue reading

Importing Users into Active Directory from a CSV File Using PowerShell

There are two aspects to this post – first is the CSV file with the user data and then there’s the PowerShell script to import the data into Active Directory. As an example, this how-to post will only set the first name, last name, username and password values for our user objects.

Preparing the CSV file

A template of the CSV file with sample data can be downloaded here (save it with a .csv extension). Here’s what it looks like:

CSV template

Populate the CSV file with the user data, making sure you enter the Distinguished Name of the Organisational Unit in the OU field.

Follow these instructions to check the format of an OU’s distinguished name:

  • Launch the Active Directory Users and Computers console
  • Select Advanced Features from the View menu
  • Right click on an OU and select Properties
  • Look for distinguishedName in the Attribute Editor tab

Importing using PowerShell

The PowerShell script is my own work, written by myself. As always, I’ve included comments to explain the code to help understand it better.

Import AD Users Script

Download the PowerShell script and modify it to suit any changes you may have made to the CSV file and save it with a .ps1 extension.

Make sure you have the CSV file and the script in the same directory to begin with. To run the script simply right-click on it and select “Run with PowerShell”. Launch Active Directory Users and Computers console to check if the import was successful.

Follow Me, Myself and IT on Twitter:

The OU Structure for

Here’s a look at the Active Directory OU Structure I designed for the domain in my lab. As I explained before it is intended for a fictional university which is modeled along the lines of my previous work place.


And here’s the OU structure in Active Directory Users and Computers

OU Structure

The three principles that helped in designing the structure are Group Policy, delegation and object administration.

A few notes with regards to the structure:

  • I came across this really good tip online about creating a master OU in AD and creating the OU structure and sub-OUs below the Master OU, which makes the structure a lot cleaner and easier on the eyes
  • A wide but shallow structure means log on times should be faster due to the fact that fewer group policies will need to be processed as opposed to a deep structure
  • Some OU names have been shortened into abbreviations – SoA, for example, is “School of Arts”
  • The structure supports GPO inheritance
  • Is designed to be flexible – I only have just the one server, the domain controller, at the moment, but will expand with NAS and WSUS in future, hence the sub-OUs under Servers
  • Desktops and laptops have been separated into their own OUs to enable me to apply different settings on them without needing WMI scripts/queries to determine the form factor of the computers

Exporting and Importing an OU Structure using LDIFDE.exe

As I explained in a previous post I had to demote my Active Directory domain at home which effectively destroyed the domain and the OU structure with it. Fortunately, with a bit of advanced planning I managed to retain the structure by exporting the OU structure and then importing it into the new domain.

I briefly covered how I done this earlier in that post but that was more in note form. Hence, I wanted to write a quick how-to post on this subject separately, which uses the ldifde.exe tool for the export and import task.

Exporting the OU Structure

ldifde.exe is a simple command line tool which can export the OU structure in a text file., which needs to be run on the actual domain controller.

As an example, this is how the export command should look like:

ldifde -f c:\ExportOU.ldf -s -d "dc=emeneye,dc=co,dc=uk" -p subtree -r "(objectcategory=organizationalUnit)" -l "cn,objectclass,ou"

Change the following in the above example to suit your environment:

  • The location and name of the export file (C:\ExportOU.ldf)
  • The domain name Name of the domain controller in which the command is being run on (
  • The domain name (“dc=emeneye,dc=co,dc=uk”)

You can execute the command as a Run Command or in a batch file, which will produce an ExportOU.ldf file (in the root of the C: drive in our example above).

Back up the ExportOU.ldf and store it in a safe place. You’ll need this later on when you’re ready to import the OU structure in a new domain.


Importing the OU Structure

You will need to edit the ExportOU.ldf file before you can import the OU structure in the new domain, as follows.

  • Remove the first entry which references the domain name. We need to remove this because the domain name cannot be imported and without removing it the import command will fail
  • Replace all occurrences of the old domain name with the new domain name

When that’s done you’re ready to import the OU structure in your new domain.

Again, an example of how the import command should look like is provided below:

ldifde -i -f "C:\ExportOU.ldf" -s winserverdc

As before, change the following to suit your environment

  • The location and name of the export file (C:\ExportOU.ldf)
  • The hostname of the domain controller in which the command is being run on (winserverdc)

If all goes well the command will have successfully imported the OU structure in the new domain. Launch the Active Directory Users and Computers console to verify.

Renaming the Active Directory Domain

I believe we learn as much from our mistakes as we do from our conscious learning efforts, if not more. We sometimes end up learning a lot more in the process that ensues to right our wrongs and mistakes. This post is about one of those times.

When I initially configured the domain in my network I chose as the domain name. I say “chose” but I didn’t really give it much thought at the time, which turned into a learning opportunity for me as I went about renaming the domain name.

To provide brief background information, the Active Directory domain in my Lab is part of a broader hands-on learning project which includes improving my working knowledge of Active Directory and Windows server administration. When it came to designing the OU structure I thought it best to use an educational setting as the domain environment to guide my design decisions. My IT support experience has largely been in an educational environment so I thought it best to stick to what I know best. With that in mind, the in the domain name didn’t seem suitable. So the task at hand was to change the name to Continue reading