Upgrading Active Directory for Windows 10 Clients

I started seriously working with active directory (AD) about 3 years ago and before that I had light to moderate exposure and experience in working with a Windows 2000 AD doing basic tasks such as creating users, managing permissions, associating email, etc.  After a series of issues, internal security audits I started looking into how to fix some of our issues that had started showing up such as long user login times and failed/inaccessible folders and profiles.  After researching the issues and errors in the logs, I got a process in place on how to convert roaming users into users that use redirected folders.  I also changed the security definitions and split up a large DFS share into smaller shares with more finite permissions then what we had before.

You can check out my post on how to migrate users from roaming profiles to redirected folders.  I highly recommend doing this before migrating to Windows 10, it will make you life a lot easier.  The changes improved access for our users, made confidential documents more secure, and as a by-product this helped prepare us for moving our Windows 7 clients to Windows 10.  What this post will do is explain what is required to prepare your AD for Windows 10, add Windows 10 Client Templates to your AD, Convert any roaming users to using redirected folders, Customize the Windows 10 startmenu without affecting the same user profiles if they use a Windows 7 machine.

Background:

This is a Department based Active Directory running on a domain level 2008R2.  It was updated from an NT4 domain level to work with exchange 2010 but exchange was never implemented and we moved to a cloud based email hosting provider.

All of the Active Directory Users and Computers are setup in to Organizational Units (OUs) called Users and the other is called Computers  This has been updated now to the following structure

For the purposes of this post we will break them down as such:

Domain -> Location -> Department

1. Human Resources (HR)
   -Win10
2. Information Technology (IT)
   -Win10
3. Customer Service 1 (CS1)
   -Win10
4. Customer Service 2 (CS2)
   -Win10
5. Customer Service 3 (CS3)
   -Win10
6. Laptop Users (LU)
   -Win10
7. Purchasing and Receiving (PR)
   -Win10
8. Board Members (BM)
   -Win10
9. New Users (NU)
   -Win10
10. Test OU (TOU)
    -Win10

Now this is a pretty basic AD, but it is inherited.  It was setup on a Windows NT 4 base, and was upgraded the Domain functional level to server 2008R2 to accommodate an exchange server which never materialized.  For the sake of our Windows 10 migration all users are going to be converted from Roaming Profiles to redirected folders for network and server/client performance.  We have also made changes to the security groups which now allows for more granular access for shares and permissions for files.

Active Directory Domain Level Confirmation

To check your domain functional level go to Start -> Administrative Tools -> Active Directory Domains and Trusts - Launch Program

Active Directory Domains and Trusts

Right click on the domain (domain.ca) in this case and get properties

You can also get this information by using the following powershell script:


Get-ADDomain | select domainMode, DistinguishedName

So now we have verified our Functional Domain Level as Server 2008R2, The minimal Active Directory Functional Level is Server 2003 or later.


CanITPro has a great post from 2015 about this so I definitely recommend that you go though the post https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/


Windows 10 Templates for AD
https://www.microsoft.com/en-us/download/details.aspx?id=48257

Templates for 1607 and server 2016
https://www.microsoft.com/en-us/download/details.aspx?id=53430

Templates for 1709
https://www.microsoft.com/en-gb/download/details.aspx?id=56121

To install the active directory administrative templates please refer to my YouTube Video

To get our AD ready for a windows 10 client we have to add a few administrative templates to our active directory and according to the technet blog post they recommend putting it in the root of the policies folder like so \\domain.com\SYSVOL\domain.com\policies

Windows 10 Administrative Templates

Now that we have our Windows 10 templates installed and activated for the Active Directory, there are a couple of things to keep in mind.

• Limiting/Disabling the store only workings for Windows 8 Pro, Windows 8 Enterprise, Windows 10 Education and Windows 10 Enterprise.  You can not limit or disable the store though the group policy setting for Windows 10 Pro
• Removing all Universal Windows apps from everyone's profile is not an option.  There are some UWA we want staff to use such as the calculator and edge
• We need to have the AD setup to run both Windows 10 users and Windows 7 users side by side while we migrate users and machines.
• We want a customized start menu for windows 10 with standardized apps

Active Directory User/Computer Structure:

Upgrading and Migrating Windows 7 clients to Windows 10 and Active Directory changes

As you likely have found the Group Policy to disable the Windows Store (see below) only works with Windows 8 Pro and Enterprise , and Windows 10 Enterprise and Education.  This means it does NOT work on Windows 10 Pro, which is super annoying.

Below is a list of the Active Directory Templates that only affect Education and Enterprise versions of Windows 10.  A good example is turning Turn off the Store application, if you want to restrict access to the store enabling this will not work if your not using these versions of Windows 10.

https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions

USER CONFIGURATION > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > STORE  > TURN OFF THE STORE APPLICATION

The insane suggestion I had received from another administrator was to “simply” delete the STORE application files from every profile on every PC and then hope that Microsoft does not update the STORE in the future; which would reinstall it.  I found a way to disable the Windows Store using The Active Directory Software Restriction Policy.

COMPUTER CONFIGURATION > POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS > SOFTWARE RESTRICTION POLICIES >

At this point you will likely have to right click and select NEW or CREATE to populate this GPO.

The following will Disable the Windows Store and Xbox UWA.

> ADDITIONAL RULES  > right click and create a rule that disallows %programfiles%\WindowsApps\Microsoft.WindowsStore*
> ADDITIONAL RULES  > right click and create a rule that disallows %programfiles%\WindowsApps\Microsoft.Xbox*

It is VERY important to use the ‘*’ wildcard in this path because Microsoft will change the path as they may update the STORE application over the coming years.  In the OU where I have the Windows 7 Settings I created another OU called Win10 where I have the following GP applied to users and computers.


Additional Active Directory Settings for Windows 10

Folder Redirection:
All Folders must be specified with pathing.  You can no longer use the “Follow Documents Folder” setting as it doesn’t sync you photos, music and videos.  For some reason it doesn't default to the network pathing instead uses the local computer where under Windows 7 it did follow the proper network pathing.

Windows 7 Pathing

AppDATA = \\Domain\dfs\$DATA

DESKTOP = \\Domain\dfs\$DATA

Documents = \\Domain\dfs\$DATA

Pictures | Music | Video = Follow Documents Folder

Favorites = \\Domain\dfs\$DATA

Contacts = \\Domain\dfs\$DATA

Downloads = \\Domain\dfs\$DATA

Links = Not Configured

Searches = \\Domain\dfs\$DATA

Windows 10 Pathing

AppDATA = \\Domain\dfs\$DATA

DESKTOP = \\Domain\dfs\$DATA

Documents = \\Domain\dfs\$DATA (I am using this pathing for Pictures, Music, Video)

Pictures = \\Domain\dfs\$DATA OR \\Domain\dfs\$DATA\%username%\Documents\

Music =\\Domain\dfs\$DATA OR \\Domain\dfs\$DATA\%username%\Documents\

Video = \\Domain\dfs\$DATA OR \\Domain\dfs\$DATA\%username%\Documents\

Favorites = \\Domain\dfs\$DATA

Contacts = \\Domain\dfs\$DATA

Downloads = \\Domain\dfs\$DATA

Links = Not Configured

Searches = \\Domain\dfs\$DATA

User Configuration:

Do not automatically make all redirected folders available offline | Disabled
Do not automatically make specific redirected folders available offline | Disabled
Turn off toast notifications on the lockscreen | Enable
Turn off tile notifications | Enable
Turn off toast notifications | Enable
Add Search Internet link to start menu | Disabled
List desktop apps first in the apps view | Enable
Search just apps from the Apps view | Enable
Force Start to be either full screen size or menu size | Enable | Value=Start menu
Clear tile notifications during log on | Enabled
Remove the people bar from the taskbar | Enable
Turn off notification area cleanup | enabled
Remove Games link from Start Menu | enabled
Remove all programs list from the start menu | enabled | Value=collapse

*NOTE THIS WILL REMOVE THE ALL PROGRAMS MENU FROM WINDOWS 7.  ENABLE CLIENT MIGRATIONS TO WINDOWS 10 IS COMPLETE*

Remove the “undock pc” button from the start menu | enabled
Add the run command to the start menu | enabled
Remove Notifications and Action Center | enabled
Turn off feature advertisement balloon notifications | enabled
Do not allow pinning Store app to the Taskbar | enabled
Turn off automatic promotion of notification icons to the taskbar | enabled
Show Windows Store apps on the taskbar | disabled
Turn off access to the Store | enabled
Allow Telemetry | Disabled
Turn off desktop gadgets | enabled
Finance | Disabled
Games | Disabled
Maps | Disabled
Music | Disabled
News | Disabled
Reader | Disabled
Sports | Disabled
Travel | Disabled
Video | Disabled
Weather | Disabled
Turn off the offer to update to the latest version of windows | Enabled
Turn off the store application | enabled
Only display the private store within the windows store app | Enabled

Computer Configuration:

Allow Cloud Search | Disabled
Allow Cortana | Disabled
Allow Cortana above lock screen | Disabled
Only Display the private store within the Windows Store App | enable
Start Layout | Enabled
Path = \\domain\sysvol\domain\startmenu\startlayout.xml
Turn off Microsoft Consumer Experiences | enabled
Turn off the store application | enabled
Disable all apps from Windows Store | enable

Windows Settings -> Security Settings -> Software Rules -> Additional Rules -> Set this to disallow
%programfiles%\WindowsApps\Microsoft.Camera*
%programfiles%\WindowsApps\Microsoft.People*
%programfiles%\WindowsApps\Microsoft.WindowsStore*
%programfiles%\WindowsApps\Microsoft.Xbox*
%programfiles%\WindowsApps\Microsoft.BingWeather*
%programfiles%\WindowsApps\Microsoft.WindowsMaps*

***STARTMENU LAYOUT***

**NOTE:  If you don't apply your GP properly you will have to delete the local account to get the startmenu to show up how you want it to.  The user could end up with a bunch of Windows 10 Games loaded on their start menu instead of the nice clean one we have made.

<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6">
        <start:Group Name="APPS">

<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Notepad++\notepad++.exe" Size="2x2" Column="0" Row="0"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Size="2x2" Column="2" Row="0"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Mozilla Firefox\firefox.exe" Size="2x2" Column="0" Row="2"/>
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<start:Tile Size="2x2" Column="2" Row="2" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" Size="2x2" Column="4" Row="2"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" Size="2x2" Column="0" Row="4"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Microsoft Office\Office16\WINWORD.exe" Size="2x2" Column="2" Row="4"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Microsoft Office\Office16\EXCEL.exe" Size="2x2" Column="4" Row="4"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Microsoft Office\Office16\POWERPNT.exe" Size="2x2" Column="0" Row="6"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Microsoft Office\Office16\MSPUB.exe" Size="2x2" Column="2" Row="6"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\paint.net\PaintDotNet.exe" Size="2x2" Column="4" Row="6"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe" Size="2x2" Column="0" Row="8"/>

</start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
  </DefaultLayoutOverride>

</LayoutModificationTemplate>

Windows 10 Start Menu with a proper GP applied

Now thanks to the redirected folders, profiles load fast, and syncing issues have all but disappeared.  Redirected folders also made the migration to Windows 10 from Windows 7 relatively trivial and painless.  After deploying the image the user logs in everything is there, now there is some confusion with the pictures, music and video folders because of the pathing change we made from Windows 7 to Windows 10 because of the "Follow Documents" GP which did not seem to be followed in testing.  All the users files are there and they just need to be told where to look.  I have only had an issue with 2 machines out of 12 since deployment, and one had to do with a USB device and the other a power save setting.

How to deploy Windows 10 with WDS from Windows 7

This is a tutorial on how to deploy Windows 10 on clients that were running windows 7 using WDS. Though there are no specifics on how I made the image in this post rest assured that post is coming. This process should be pretty similar on any system that was running Windows 7 and has UEFI capabilities. I have not had time to investigate doing a unattended.xml file to more automate the process but it is at the point where I will spend as much time looking into how to set it up with an unattended file as it would be to just run the install. This process takes about 30 minutes per machine to install, and you can do a bunch at once if you want. I've done up to 4 at a time, but that is due to user scheduling and verification of the process then it is just not doing many clients at once.

When you go to install Windows 10 from windows 7 you need to disable the CSM (Compatibility Support Module) that allows you to boot to a legacy OS. You will also want to enable pxe boot and make sure it is enabled for IPV4/IPV6 which ever you happen to be using. On this system pressing F1 when the system is booting up will get you into the bios.

System Bios

While the system reboots pressing F12 will bring up boot options - select the network boot option, select the network adapter and hit enter.

WDS Boot Image

When correctly setup you will see a network boot screen with the IP of the WDS server as shown above. If there is more then one image and boot image enabled you will be given a list of images to boot off of and deploy.

When we are booted we are prompted for our language and location.






Sign in with a DOMAIN administrator username and password then you will be prompted with selecting the image you want to install (In this case WIN_MASTER_WMI).  This is so you can get the image from the WDS Server








It is best if you delete all partitions and allow WDS to format the entire drive, once done the install takes about 20 minutes on our 1 Gpbs Network. 

After the install you will be prompted to do a few finishing touches

Select your keyboard layout

Select if you want a second keyboard layout

Accept the terms of use

Setup for an orgainziation

Continue on following the prompts.

Create a local user account

Create a password for the local account

Add a password hint for your account

Disable Cortana

Select your privacy settings

In the setup I have decided to Disable cortana; my group policy also has it disabled so it is just a quick easy thing and no additional customization is required.

I typically use the following credentials for creating the local user

Username: $yourlocaladmin
Password: $yourpassword
Hint: I like using a phrase like "local password"

Windows 10 Desktop as configured in the image with no Group policy

Now a couple of house cleaning items. It is easiest if you do this logged in as the local admin you created and change the name of the machine to what you need it to be. Continue to work in the local administrator account until you have moved the computer into the proper windows 10 OU and have updated the the group policy settings on the server and the client.

Activate Windows 10

Open Explorer -> Right Click on This PC -> Properties -> Select Change Key and input your windows 10 key:

Activate Office 2016

Open Word or another office program, Select the Install Updates Only Option and accept -> Create a document then under File -> Account -> Change Product Key and input the key.

Office 2016 Activation Screen

Install your vendor specific system software (if required) I like loading the auto detection for registering the device and the vendor system update app.  I then run the system update to get any drivers that might have been updated after the image was created.

Then log into your active directory server and move your new Windows 10 machine into your Windows 10 OU.  After moving the computer into the Proper OU under the Win10 OU in AD and perform a gpupdate on the server and the client.

I typically have a test user I login as $TestUser to verify AD Settings such as the startmenu. If confirmed.  If properly deployed your Windows 10 system could look like this when finished with a customer start menu.  An interesting thing to note is that once you have deployed with WDS and activated your Windows 10 you won't have to reactive the system again.  Your activation is tracked by your WDS Server.

Windows 10 System with Customized Startmenu and restricted universal apps

Converting Roaming Users To Redirected Folders

How to convert roaming users to redirected folders in active directory

Particular users in an active directory environment were have long login times anywhere between 5 - 15 minutes.  While troubleshooting this issue, from the server to the client, switches, cables, and network cards were all replaces with no success.  Upon further investigation the common thing that the users having the logon issues had in common were large profiles.  This AD environment was already in place and setup with roaming user profiles which when get to large cause issues much like long login times and file syncing issues.  To mitigate these issues I determined that a conversion to redirected folders was in order to resolve the issues.

Now depending on your companies data policies, the clients technical level, what is wanted or required by the client and level of trust given to you this can be easy or hard.  The scope of the project I was working on needed to include the transfer of the user data from the roaming profile to the new redirected folder setup.

There are really 2 ways to transfer the data.

1. The administrator could move/migrate the user data after the new redirected user directories are created.  (Still involves users backing up bookmarks, some files from 3rd party apps like firefox)
2. The user can backup and restore their files.

The organization I was working with chose to go with option 1.  They are small and some extra time can be used to verify redirected folder policy and data verification.  Users were required to backed up Firefox, Chrome and other third party app data into a backup folder in their directories folder the day the notice that their data migration would be.  The data migration would be the next day and they got what their new password would be.  This was done to ensure AD properly applied the redirected folders policy.

Example of Notice:

Hi $USER,

To ensure the best and most efficient working experience possible, the IT has been working on improving our infrastructure and it required us make some changes with how your login profile works.  We would like to make the changes to your profile $DATE after hours so this will be in effect for $DATE2.

Please feel free to contact IT services by email, phone or chat with any issue or concerns you might have regarding IT.

Your username has remained the same but your new temporary password will be $NEW_TEMP_PASSWORD

To login to a staff computer, login as you normally would but put in your new temporary password $NEW_TEMP_PASSWORD.  Then you will be prompted to change your password; before you are able to continue

To login a staff computer:

your username is $USER or $USER@DOMAIN.CA your password is $NEW_TEMP_PASSWORD

After your first login, you will be prompted to change your password.

You can change your password any time by pressing ctrl + alt + del on your keyboard and select "change password".

Converting Roaming users to Redirected Folders

This part is easy, the trick is doing it and allowing the users to keep access to their data.  Now at least in this situation our roaming users paths are in two places in AD.

Location 1 for the data is \\servername\data\$user
Location 2 for the profile: \\servername\profile\$user

Now if the server goes down that kinda makes using the DFS in AD useless.  So we want the redirected folder to use a local based profile, and point to the domain for the user pathing so that if the server does go down it uses DFS until the server comes back online.

The profile path is easier to fix, you right click on the user and get the Properties, here we want to blank the profile path.  Also make sure you remove any AD settings that move the users data to another place other then where you want it to be.

Once we reset the user profile path.

So we reset the user.  Remove the pathing for the profile and the data directory because we have already set our pathing in our ad settings to avoid conflicts.  To have more control of our ad setting I created additional OUs to apply AD settings per department.

The OU layout is setup as follows

1. Human Resources (HR)
2. Information Technology (IT)
3. Customer Service 1 (CS1)
4. Customer Service 2 (CS2)
5. Customer Service 3 (CS3)
6. Laptop Users (LU)
7. Purchasing and Receiving (PR)
8. Board Members (MB)
9. New Users (NU)
10. Test OU (TOU)

The AD settings for the OU are setup as follows.

Computer Configuration

Administrative Templates -> Network -> Offline Files

Subfolders  always available offline = Enabled | No additional Settings

Administratively assigned offline files = Enabled | Files and Folders -> Value Name = \\domain\dfs\$USERDATA\%username% | Value = “BLANK”

Configure Background Sync = Enabled

Background Sync Configuration

Limit Disk space used by offline files = disabled

Allow or disallow use of Offline Files Feature = enabled

Action on server disconnect = enabled | Set Action = Work offline

Enable Transparent Caching = enabled | Network latency value in milliseconds = 32000

Turn on economical application of administratively assigned Offline Files = enabled

Synchronize all offline files before logging off = enabled

Synchronize all offline files when logging on = enabled

Synchronize offline files before suspend = enable | Action = full

User Configuration

Network -> Offline Files

Administratively assigned offline files = enabled |

Files and Folders | Value Name = \\domain\dfs\$DATA\%username% | value = “blank/nothing”

Administratively Assigned Offline Files

Non-default server disconnect actions = enabled

Customize actions | Value Name = Work offline = 0

Action on Server Disconnect = enabled | Action = Work Offline

Synchronize all offline files before logging off = enabled

Synchronize all offline files when logging on = enabled

Synchronize all offline files before suspend = enabled | Action = Full

Administrative Templates -> Policies -> Windows Settings -> Folder Redirection

AppDATA = \\Domain\dfs\$DATA

DESKTOP = \\Domain\dfs\$DATA

Documents = \\Domain\dfs\$DATA

Pictures | Music | Video = Follow Documents Folder

Favorites = \\Domain\dfs\$DATA

Contacts = \\Domain\dfs\$DATA

Downloads = \\Domain\dfs\$DATA

Links = Not Configured

Searches = \\Domain\dfs\$DATA

Redirected Folders Pathing

Now with these settings in place we can make the changes to the user profiles.  I like to run a gpupdate on the server and on the client (if it's a current in use workstation the user uses regularly) just to make sure the policy gets applied.  I then login as the user and have the AD recreate all the proper folders in the new $DATA directory.

Then logout of the client computer.  On the server you need to take ownership of the old directories and the new directory (in this case I am using an administrator account) and then copy the data from the old directories into the new one.  Once your finished then give ownership back to the user; update your group policy on the server and on the client.

The user should now be setup using roaming profiles and at least in my AD environment all users that have been moved over to redirected folders have a typical login time of 5 to 10 seconds and commonly used files are synced and available in offline mode in case the system does have to work in an offline capacity.