Group Policy Order of Precedence FAQ

I’ve had a few queries from friends about group policy since my last post so I thought why not answer these queries here on my blog? And, yes, a few of them were about group precedences, hence this short FAQ.

What is the order of precedence in group policy?

I’ve prepared an illustration which I hope will help to understand the order of precedence for Group Policy.

gp order 2

While this illustration may be self-explanatory (at least I hope it is) there’s actually more to the story…

What is the order of precedence in an OU hierarchy?

Continue reading


Installing the Windows 10 1511 Group Policy Administrative Templates

The administrative templates for Windows 10 15111 were released by Microsoft a couple of months ago but I only just got round to installing it on my lab domain. Here’s the procedure how to do this, if anybody wants to know.

1) To begin with, download the Windows 10 1511 administrative templates from Microsoft and run the installer on your domain controller

2) Make a note of the folder it’s being installed on. By default this is set to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Version 1511\


3) Browse to the folder you just installed the administrative templates on. Open the “Policy Definitions” folder.

4) Open a new Explorer window and browse to your domain’s Group Policy Central Store. You can do this from a Run command window – type in the path to your central store in the format of \\\SYSVOL\\Policies\PolicyDefinitions

5) Copy everything from the “Policy Definitions” folder you opened in step 4 and paste it into your Group Policy central store which you opened in step 5. If you have the Windows 10 RTM admin templates in the central store make sure you replace the files in the destination.

The updated admin templates also include the following brand new templates:

  • AppPrivacy.admx
  • CloudContent.admx
  • FeedbackNotifications.admx
  • WindowsStore.admx
  • WinMaps.admx

The FeedbackNotifications.admx template, for example, provides the following setting:

Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds > Do not show feedback notifications


Open a GPO and browse to the above setting to verify the new administrative templates have been installed successfully.

Renaming the Active Directory Domain

I believe we learn as much from our mistakes as we do from our conscious learning efforts, if not more. We sometimes end up learning a lot more in the process that ensues to right our wrongs and mistakes. This post is about one of those times.

When I initially configured the domain in my network I chose as the domain name. I say “chose” but I didn’t really give it much thought at the time, which turned into a learning opportunity for me as I went about renaming the domain name.

To provide brief background information, the Active Directory domain in my Lab is part of a broader hands-on learning project which includes improving my working knowledge of Active Directory and Windows server administration. When it came to designing the OU structure I thought it best to use an educational setting as the domain environment to guide my design decisions. My IT support experience has largely been in an educational environment so I thought it best to stick to what I know best. With that in mind, the in the domain name didn’t seem suitable. So the task at hand was to change the name to Continue reading

Combining Snap-ins In A Custom Console

Having installed Active Directory, WDS, and MDT 2012 on my server, one of the first things I done was to build my own custom console combining a few frequently used snap-ins for easier access. With this to hand I won’t have to go back and forth between Deployment Workbench and Windows Deployment Services when I’m working with MDT 2012, for example.

Here’s a look at my console:


As you can see I have combined quite a few snap-ins in my console, which corresponds to my learning objectives for this project. I will elaborate more on this sometime real soon as I feel this subject needs a dedicated post of its own.

Update 2: MDT 2010 and Windows Server 2008 R2

As promised here’s an update on what I’ve been getting up to with MDT 2010, starting from the basic first:

  • Deploy Windows 7 DVD image to client PC’s
  • Create Task Sequence to capture reference image
  • Hide the Deployment Wizard panes using customsettings.ini
  • Import drivers into MDT 2010, organising into a directory structure based on manufacturer and model
  • Deploy reference image, injecting drivers based on PC model
  • Set a default profile for users by copying the Administrator profile on the unattend.xml file associated with the deploy task sequence

I wasn’t content with deploying Windows 7 to standalone PC’s so I  decided to take this a step further. With an Active Directory domain already set up beforehand, I delved into deploying Windows 7 in a domain environment:

  • Retaining the same hostname on client machines as set in Active Directory during deployment (by creating a MDT database in SQL Server 2008)
  • Joining client PC’s to the domain as part of the deployment process and making sure they stay in the same OU
  • Allowing a group of Active Directory admin users to undertake deployment duties. This was done by making the users a member of a security group I called “DeploymentAdmins” and giving the group security permissions to the deployment share. This allows the group members to authenticate themselves in the Deployment Wizard login.

It’s been great fun working with MDT 2010 and especially exploring some of the advanced deployment scenarios using the MDT database. I’ve been updating some documentation on the work I’ve been doing with the intention to adapt them into blog posts some time in the future. I will be coming up with these soon but, unlike my previous how to posts, they won’t be step by step instructions. I find writing these instructions take up too much of my time so I’ll take a different approach with the new posts from here on.

I would now like to spend some time with Active Directory. Actually, I’ve already started working on designing and implementing my domain. I’ll elaborate more in a new blog post soon.

Quick Fix: MMC Has Detected An Error In A Snap-in And Will Unload It

I wrote a post only a few days ago how I combined a few MMC snap-ins in a console for easier access in one place. Well, today I started experiencing a problem where an error message such as the one produced below would randomly pop up while using the console.


A quick search on Google seemed to suggest this problem does not affect 32-bit snap-ins and so with that in mind I used a Run command to launch the console with 32-bit snap-ins. And sure enough 32-bit snap-ins works just fine and I haven’t seen that error pop up again. I then opted to create a shortcut on my desktop to launch the console instead.

Here’s what I used for the shortcut:

mmc.exe "%systemdrive%:\Users\%username%\Desktop\Server Management Console.msc" /32

It’s more a workaround than a fix but hey, it works!

Quick Fix: DHCP Server Role Fails To Install With Error Code 0x800706BE

I came across this problem while installing the DHCP server role on my Windows Server 2008 VM on my ESXi host. I was preoccupied with trying to fix this that the thought of writing about it didn’t come to mind hence I never took a screenshot of the error message. I can’t remember exactly what the error message said (something about RPC call having failed) but I do have the error code – 0x800706be.

I found a fix in a TechNet forum which I thought would be useful to post here for anyone who experiences the exact same problem. So here’s the fix:

  • Stop the wuauserv and Cryptsvc services (Windows Automatic Update Services and Cryptographic Services)
  • Delete the DataStore directory in C:\Windows\SoftwareDistribution\
  • Rename C:\Windows\system32\catroot2 to catroot2.old
  • Restart the wuauserv and Cryptsvc services

Alternatively for a one-click fix simply copy the following commands in a batch file and run it on your server.

net stop wuauserv
net stop Cryptsvc
cd /d %windir%\SoftwareDistribution
rd /s /q DataStore
ren %windir%\system32\catroot2 catroot2.old
net start wuauserv
net start Cryptsvc

After a quick reboot you should find the DHCP server role installs just fine. Hope someone somewhere finds this useful. PS. I can only vouch that this fix will work if you had the error code while attempting to install the DHCP server role (which was what happened in my case). Having trawled through the various forums looking for this fix it seems other people have come across the same error code but in different situations.

Installing and Configuring MDT 2010 From Start To Finish

This post is intended as a guide for anyone who wants to install MDT 2010 along with Windows Deployment Services on a Windows Server 2008 R2 machine in a home network.

As a ‘start to finish’ guide I will base this on a freshly installed Windows Server 2008 R2 installation and begin with installing AD Domain Services, DNS and DHCP  server roles before moving onto WDS  and installing and configuring MDT 2010. All on the same server.

Important: You need to configure a static IP address on your server and also make sure the the DNS server address is pointing to your server’s IP address (i.e. DNS server address should be the same as the static IP address you assigned to the server) . This will allow the installation wizard to install the DNS server along with the Active Directory Domain Services role on the same server.

I’ve broken down the entire process into several steps and provided the instructions for each step in PowerPoint slides. I’m purposely skipping the instructions on installing the server OS (which is no different to installing Windows 7) since I want to concentrate on the WDS and MDT side of things.

1 – Install the Active Directory Domain Services and DNS Server roles

The process of installing the Active Directory Domain Services role will also install the DNS server role as one process.

2 – Install the DHCP Server role

You may have a broadband router which provides DHCP services but you will still have to install the DHCP server role on your server.

3 – Install the WDS Role

After having installed the prerequisites (AD DS, DHCP and DNS) the next step is to install and configure the WDS role.

4 – Install MDT 2010

The final instructions here will install MDT 2010 and configure a deployment share, add a PXE-boot image and enable the multicast feature.

I hope this comes in use to someone.

Installing Active Directory on Windows Server 2008 R2

I’ve put together a couple of how-to instructions intended as a guide to install Active Directory on a Windows Server 2008 R2 server from scratch – that is installing a first domain in a new forest.

Make sure you have a static IP address on your server machine before proceeding with these instructions.

Part 2 – Installing and Configuring a DHCP Server

The first part is to install the Active Directory Doman Services role, and to then promote the server to a Domain Controller. This ‘promotion’ phase is where you actually install configure an Active domain along with a DNS server. You can’t continue with installing an Active Directory domain without a compatible DNS server. Since we’re starting from scratch we don’t have a DNS server (one that is compatible with Active Directory), we get to install both in one step.

The second part will install the DHCP server role on the Domain Controller and configure a DHCP scope, i.e. the range of IP addresses the server will lease to clients connected to your network.

Update: Moving onto MDT 2010 and Windows Server 2008 R2

I thought now’s a good time to provide an update on exploring my interests in Windows Deployment.

So, I started from the ground up with the WAIK and experimenting with unattended.xml and Sysyprep, with the intention to get a good foundation of the tools Microsoft Deployment Toolkit was built upon before moving onto MDT 2010. I spent a lot of time with building unattend.xml answer files using Windows SIM, Sysprep’ing computers, Windows PE, DISM and imagex,

Here are a few links to some of the posts I’ve written on the subject:

I recently installed MDT 2010 on an evaluation version of Windows Server 2008 R2 with a WDS role. (Of course that included installing and configuring Active Directory, DNS and DHCP server roles since they are pre-requisites to installing WDS).

I want to concentrate more on MDT 2010 than writing instructions from here on. I’ll update again with my progress with in due course.

Windows Server 2008 R2 installed on VMware Player