Group Policy Order of Precedence FAQ

I’ve had a few queries from friends about group policy since my last post so I thought why not answer these queries here on my blog? And, yes, a few of them were about group precedences, hence this short FAQ.

What is the order of precedence in group policy?

I’ve prepared an illustration which I hope will help to understand the order of precedence for Group Policy.

gp order 2

While this illustration may be self-explanatory (at least I hope it is) there’s actually more to the story…

What is the order of precedence in an OU hierarchy?

Continue reading

Installing the Windows 10 1511 Group Policy Administrative Templates

The administrative templates for Windows 10 15111 were released by Microsoft a couple of months ago but I only just got round to installing it on my lab domain. Here’s the procedure how to do this, if anybody wants to know.

1) To begin with, download the Windows 10 1511 administrative templates from Microsoft and run the installer on your domain controller

2) Make a note of the folder it’s being installed on. By default this is set to C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Version 1511\

clip_image001

3) Browse to the folder you just installed the administrative templates on. Open the “Policy Definitions” folder.

4) Open a new Explorer window and browse to your domain’s Group Policy Central Store. You can do this from a Run command window – type in the path to your central store in the format of \\Domain.com\SYSVOL\Domain.com\Policies\PolicyDefinitions

5) Copy everything from the “Policy Definitions” folder you opened in step 4 and paste it into your Group Policy central store which you opened in step 5. If you have the Windows 10 RTM admin templates in the central store make sure you replace the files in the destination.

The updated admin templates also include the following brand new templates:

  • AppPrivacy.admx
  • CloudContent.admx
  • FeedbackNotifications.admx
  • WindowsStore.admx
  • WinMaps.admx

The FeedbackNotifications.admx template, for example, provides the following setting:

Computer Configuration > Policies > Administrative Templates > Windows Components > Data Collection and Preview Builds > Do not show feedback notifications

clip_image003

Open a GPO and browse to the above setting to verify the new administrative templates have been installed successfully.

Renaming the Active Directory Domain

I believe we learn as much from our mistakes as we do from our conscious learning efforts, if not more. We sometimes end up learning a lot more in the process that ensues to right our wrongs and mistakes. This post is about one of those times.

When I initially configured the domain in my network I chose emeneye.co.uk as the domain name. I say “chose” but I didn’t really give it much thought at the time, which turned into a learning opportunity for me as I went about renaming the domain name.

To provide brief background information, the Active Directory domain in my Lab is part of a broader hands-on learning project which includes improving my working knowledge of Active Directory and Windows server administration. When it came to designing the OU structure I thought it best to use an educational setting as the domain environment to guide my design decisions. My IT support experience has largely been in an educational environment so I thought it best to stick to what I know best. With that in mind, the .co.uk in the domain name didn’t seem suitable. So the task at hand was to change the name to emeneye.ac.uk. Continue reading

Combining Snap-ins In A Custom Console

Having installed Active Directory, WDS, and MDT 2012 on my server, one of the first things I done was to build my own custom console combining a few frequently used snap-ins for easier access. With this to hand I won’t have to go back and forth between Deployment Workbench and Windows Deployment Services when I’m working with MDT 2012, for example.

Here’s a look at my console:

image

As you can see I have combined quite a few snap-ins in my console, which corresponds to my learning objectives for this project. I will elaborate more on this sometime real soon as I feel this subject needs a dedicated post of its own.

Update 2: MDT 2010 and Windows Server 2008 R2

As promised here’s an update on what I’ve been getting up to with MDT 2010, starting from the basic first:

  • Deploy Windows 7 DVD image to client PC’s
  • Create Task Sequence to capture reference image
  • Hide the Deployment Wizard panes using customsettings.ini
  • Import drivers into MDT 2010, organising into a directory structure based on manufacturer and model
  • Deploy reference image, injecting drivers based on PC model
  • Set a default profile for users by copying the Administrator profile on the unattend.xml file associated with the deploy task sequence

I wasn’t content with deploying Windows 7 to standalone PC’s so I  decided to take this a step further. With an Active Directory domain already set up beforehand, I delved into deploying Windows 7 in a domain environment:

  • Retaining the same hostname on client machines as set in Active Directory during deployment (by creating a MDT database in SQL Server 2008)
  • Joining client PC’s to the domain as part of the deployment process and making sure they stay in the same OU
  • Allowing a group of Active Directory admin users to undertake deployment duties. This was done by making the users a member of a security group I called “DeploymentAdmins” and giving the group security permissions to the deployment share. This allows the group members to authenticate themselves in the Deployment Wizard login.

It’s been great fun working with MDT 2010 and especially exploring some of the advanced deployment scenarios using the MDT database. I’ve been updating some documentation on the work I’ve been doing with the intention to adapt them into blog posts some time in the future. I will be coming up with these soon but, unlike my previous how to posts, they won’t be step by step instructions. I find writing these instructions take up too much of my time so I’ll take a different approach with the new posts from here on.

I would now like to spend some time with Active Directory. Actually, I’ve already started working on designing and implementing my domain. I’ll elaborate more in a new blog post soon.

Quick Fix: MMC Has Detected An Error In A Snap-in And Will Unload It

I wrote a post only a few days ago how I combined a few MMC snap-ins in a console for easier access in one place. Well, today I started experiencing a problem where an error message such as the one produced below would randomly pop up while using the console.

clip_image002

A quick search on Google seemed to suggest this problem does not affect 32-bit snap-ins and so with that in mind I used a Run command to launch the console with 32-bit snap-ins. And sure enough 32-bit snap-ins works just fine and I haven’t seen that error pop up again. I then opted to create a shortcut on my desktop to launch the console instead.

Here’s what I used for the shortcut:

mmc.exe "%systemdrive%:\Users\%username%\Desktop\Server Management Console.msc" /32

It’s more a workaround than a fix but hey, it works!

Quick Fix: DHCP Server Role Fails To Install With Error Code 0x800706BE

I came across this problem while installing the DHCP server role on my Windows Server 2008 VM on my ESXi host. I was preoccupied with trying to fix this that the thought of writing about it didn’t come to mind hence I never took a screenshot of the error message. I can’t remember exactly what the error message said (something about RPC call having failed) but I do have the error code – 0x800706be.

I found a fix in a TechNet forum which I thought would be useful to post here for anyone who experiences the exact same problem. So here’s the fix:

  • Stop the wuauserv and Cryptsvc services (Windows Automatic Update Services and Cryptographic Services)
  • Delete the DataStore directory in C:\Windows\SoftwareDistribution\
  • Rename C:\Windows\system32\catroot2 to catroot2.old
  • Restart the wuauserv and Cryptsvc services

Alternatively for a one-click fix simply copy the following commands in a batch file and run it on your server.

net stop wuauserv
net stop Cryptsvc
cd /d %windir%\SoftwareDistribution
rd /s /q DataStore
ren %windir%\system32\catroot2 catroot2.old
net start wuauserv
net start Cryptsvc

After a quick reboot you should find the DHCP server role installs just fine. Hope someone somewhere finds this useful. PS. I can only vouch that this fix will work if you had the error code while attempting to install the DHCP server role (which was what happened in my case). Having trawled through the various forums looking for this fix it seems other people have come across the same error code but in different situations.