Saturday, February 10, 2018

Upgrading Active Directory for Windows 10 Clients

I started seriously working with active directory (AD) about 3 years ago and before that I had light to moderate exposure and experience in working with a Windows 2000 AD doing basic tasks such as creating users, managing permissions, associating email, etc.  After a series of issues, internal security audits I started looking into how to fix some of our issues that had started showing up such as long user login times and failed/inaccessible folders and profiles.  After researching the issues and errors in the logs, I got a process in place on how to convert roaming users into users that use redirected folders.  I also changed the security definitions and split up a large DFS share into smaller shares with more finite permissions then what we had before.

You can check out my post on how to migrate users from roaming profiles to redirected folders.  I highly recommend doing this before migrating to Windows 10, it will make you life a lot easier.  The changes improved access for our users, made confidential documents more secure, and as a by-product this helped prepare us for moving our Windows 7 clients to Windows 10.  What this post will do is explain what is required to prepare your AD for Windows 10, add Windows 10 Client Templates to your AD, Convert any roaming users to using redirected folders, Customize the Windows 10 startmenu without affecting the same user profiles if they use a Windows 7 machine.

Background:

This is a Department based Active Directory running on a domain level 2008R2.  It was updated from an NT4 domain level to work with exchange 2010 but exchange was never implemented and we moved to a cloud based email hosting provider.

All of the Active Directory Users and Computers are setup in to Organizational Units (OUs) called Users and the other is called Computers  This has been updated now to the following structure


For the purposes of this post we will break them down as such:


Domain -> Location -> Department

  1. Human Resources (HR)
    -Win10
  2. Information Technology (IT)
    -Win10
  3. Customer Service 1 (CS1)
    -Win10
  4. Customer Service 2 (CS2)
    -Win10
  5. Customer Service 3 (CS3)
    -Win10
  6. Laptop Users (LU)
    -Win10
  7. Purchasing and Receiving (PR)
    -Win10
  8. Board Members (BM)
    -Win10
  9. New Users (NU)
    -Win10
  10. Test OU (TOU)
    -Win10
Now this is a pretty basic AD, but it is inherited.  It was setup on a Windows NT 4 base, and was upgraded the Domain functional level to server 2008R2 to accommodate an exchange server which never materialized.  For the sake of our Windows 10 migration all users are going to be converted from Roaming Profiles to redirected folders for network and server/client performance.  We have also made changes to the security groups which now allows for more granular access for shares and permissions for files.

Active Directory Domain Level Confirmation

To check your domain functional level go to Start -> Administrative Tools -> Active Directory Domains and Trusts - Launch Program


Active Directory Domains and Trusts



Right click on the domain (domain.ca) in this case and get properties




You can also get this information by using the following powershell script:



Get-ADDomain | select domainMode, DistinguishedName


So now we have verified our Functional Domain Level as Server 2008R2, The minimal Active Directory Functional Level is Server 2003 or later.



CanITPro has a great post from 2015 about this so I definitely recommend that you go though the post https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/



Windows 10 Templates for AD

https://www.microsoft.com/en-us/download/details.aspx?id=48257

Templates for 1607 and server 2016

https://www.microsoft.com/en-us/download/details.aspx?id=53430

Templates for 1709

https://www.microsoft.com/en-gb/download/details.aspx?id=56121

To install the active directory administrative templates please refer to my YouTube Video


To get our AD ready for a windows 10 client we have to add a few administrative templates to our active directory and according to the technet blog post they recommend putting it in the root of the policies folder like so \\domain.com\SYSVOL\domain.com\policies



Windows 10 Administrative Templates
Now that we have our Windows 10 templates installed and activated for the Active Directory, there are a couple of things to keep in mind.
  • Limiting/Disabling the store only workings for Windows 8 Pro, Windows 8 Enterprise, Windows 10 Education and Windows 10 Enterprise.  You can not limit or disable the store though the group policy setting for Windows 10 Pro
  • Removing all Universal Windows apps from everyone's profile is not an option.  There are some UWA we want staff to use such as the calculator and edge
  • We need to have the AD setup to run both Windows 10 users and Windows 7 users side by side while we migrate users and machines.
  • We want a customized start menu for windows 10 with standardized apps

Active Directory User/Computer Structure:

Upgrading and Migrating Windows 7 clients to Windows 10 and Active Directory changes

As you likely have found the Group Policy to disable the Windows Store (see below) only works with Windows 8 Pro and Enterprise , and Windows 10 Enterprise and Education.  This means it does NOT work on Windows 10 Pro, which is super annoying.


Below is a list of the Active Directory Templates that only affect Education and Enterprise versions of Windows 10.  A good example is turning Turn off the Store application, if you want to restrict access to the store enabling this will not work if your not using these versions of Windows 10.


https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions


USER CONFIGURATION > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > STORE  > TURN OFF THE STORE APPLICATION


The insane suggestion I had received from another administrator was to “simply” delete the STORE application files from every profile on every PC and then hope that Microsoft does not update the STORE in the future; which would reinstall it.  I found a way to disable the Windows Store using The Active Directory Software Restriction Policy.


COMPUTER CONFIGURATION > POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS > SOFTWARE RESTRICTION POLICIES >


At this point you will likely have to right click and select NEW or CREATE to populate this GPO.


The following will Disable the Windows Store and Xbox UWA.


> ADDITIONAL RULES  > right click and create a rule that disallows %programfiles%\WindowsApps\Microsoft.WindowsStore*

> ADDITIONAL RULES  > right click and create a rule that disallows %programfiles%\WindowsApps\Microsoft.Xbox*

It is VERY important to use the ‘*’ wildcard in this path because Microsoft will change the path as they may update the STORE application over the coming years.  In the OU where I have the Windows 7 Settings I created another OU called Win10 where I have the following GP applied to users and computers.



Additional Active Directory Settings for Windows 10

Folder Redirection:

All Folders must be specified with pathing.  You can no longer use the “Follow Documents Folder” setting as it doesn’t sync you photos, music and videos.  For some reason it doesn't default to the network pathing instead uses the local computer where under Windows 7 it did follow the proper network pathing.

Windows 7 Pathing

AppDATA = \\Domain\dfs\$DATA
DESKTOP = \\Domain\dfs\$DATA
Documents = \\Domain\dfs\$DATA
Pictures | Music | Video = Follow Documents Folder
Favorites = \\Domain\dfs\$DATA
Contacts = \\Domain\dfs\$DATA
Downloads = \\Domain\dfs\$DATA
Links = Not Configured


Searches = \\Domain\dfs\$DATA

Windows 10 Pathing

AppDATA = \\Domain\dfs\$DATA
DESKTOP = \\Domain\dfs\$DATA
Documents = \\Domain\dfs\$DATA (I am using this pathing for Pictures, Music, Video)
Pictures = \\Domain\dfs\$DATA OR \\Domain\dfs\$DATA\%username%\Documents\
Music =\\Domain\dfs\$DATA OR \\Domain\dfs\$DATA\%username%\Documents\
Video = \\Domain\dfs\$DATA OR \\Domain\dfs\$DATA\%username%\Documents\
Favorites = \\Domain\dfs\$DATA
Contacts = \\Domain\dfs\$DATA
Downloads = \\Domain\dfs\$DATA
Links = Not Configured
Searches = \\Domain\dfs\$DATA

User Configuration:


Do not automatically make all redirected folders available offline | Disabled

Do not automatically make specific redirected folders available offline | Disabled
Turn off toast notifications on the lockscreen | Enable
Turn off tile notifications | Enable
Turn off toast notifications | Enable
Add Search Internet link to start menu | Disabled
List desktop apps first in the apps view | Enable
Search just apps from the Apps view | Enable
Force Start to be either full screen size or menu size | Enable | Value=Start menu
Clear tile notifications during log on | Enabled
Remove the people bar from the taskbar | Enable
Turn off notification area cleanup | enabled
Remove Games link from Start Menu | enabled
Remove all programs list from the start menu | enabled | Value=collapse

*NOTE THIS WILL REMOVE THE ALL PROGRAMS MENU FROM WINDOWS 7.  ENABLE CLIENT MIGRATIONS TO WINDOWS 10 IS COMPLETE*


Remove the “undock pc” button from the start menu | enabled

Add the run command to the start menu | enabled
Remove Notifications and Action Center | enabled
Turn off feature advertisement balloon notifications | enabled
Do not allow pinning Store app to the Taskbar | enabled
Turn off automatic promotion of notification icons to the taskbar | enabled
Show Windows Store apps on the taskbar | disabled
Turn off access to the Store | enabled
Allow Telemetry | Disabled
Turn off desktop gadgets | enabled
Finance | Disabled
Games | Disabled
Maps | Disabled
Music | Disabled
News | Disabled
Reader | Disabled
Sports | Disabled
Travel | Disabled
Video | Disabled
Weather | Disabled
Turn off the offer to update to the latest version of windows | Enabled
Turn off the store application | enabled
Only display the private store within the windows store app | Enabled


Computer Configuration:


Allow Cloud Search | Disabled
Allow Cortana | Disabled
Allow Cortana above lock screen | Disabled
Only Display the private store within the Windows Store App | enable
Start Layout | Enabled
Path = \\domain\sysvol\domain\startmenu\startlayout.xml
Turn off Microsoft Consumer Experiences | enabled
Turn off the store application | enabled
Disable all apps from Windows Store | enable

Windows Settings -> Security Settings -> Software Rules -> Additional Rules -> Set this to disallow

%programfiles%\WindowsApps\Microsoft.Camera*
%programfiles%\WindowsApps\Microsoft.People*
%programfiles%\WindowsApps\Microsoft.WindowsStore*
%programfiles%\WindowsApps\Microsoft.Xbox*
%programfiles%\WindowsApps\Microsoft.BingWeather*
%programfiles%\WindowsApps\Microsoft.WindowsMaps*

***STARTMENU LAYOUT***

**NOTE:  If you don't apply your GP properly you will have to delete the local account to get the startmenu to show up how you want it to.  The user could end up with a bunch of Windows 10 Games loaded on their start menu instead of the nice clean one we have made.

<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride LayoutCustomizationRestrictionType="OnlySpecifiedGroups">
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6">
        <start:Group Name="APPS">

<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Notepad++\notepad++.exe" Size="2x2" Column="0" Row="0"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Size="2x2" Column="2" Row="0"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Mozilla Firefox\firefox.exe" Size="2x2" Column="0" Row="2"/>
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<start:Tile Size="2x2" Column="2" Row="2" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" Size="2x2" Column="4" Row="2"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" Size="2x2" Column="0" Row="4"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Microsoft Office\Office16\WINWORD.exe" Size="2x2" Column="2" Row="4"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Microsoft Office\Office16\EXCEL.exe" Size="2x2" Column="4" Row="4"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Microsoft Office\Office16\POWERPNT.exe" Size="2x2" Column="0" Row="6"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\Microsoft Office\Office16\MSPUB.exe" Size="2x2" Column="2" Row="6"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files\paint.net\PaintDotNet.exe" Size="2x2" Column="4" Row="6"/>
<start:DesktopApplicationTile DesktopApplicationLinkPath="C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe" Size="2x2" Column="0" Row="8"/>

</start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
  </DefaultLayoutOverride>

</LayoutModificationTemplate>


Windows 10 Start Menu with a proper GP applied


Now thanks to the redirected folders, profiles load fast, and syncing issues have all but disappeared.  Redirected folders also made the migration to Windows 10 from Windows 7 relatively trivial and painless.  After deploying the image the user logs in everything is there, now there is some confusion with the pictures, music and video folders because of the pathing change we made from Windows 7 to Windows 10 because of the "Follow Documents" GP which did not seem to be followed in testing.  All the users files are there and they just need to be told where to look.  I have only had an issue with 2 machines out of 12 since deployment, and one had to do with a USB device and the other a power save setting.

How to migrate PFSense Over to KEA DHCP Server from ISC DHCP Server

I am a PFSENSE User and I manage PFSENSE for some other organizations and the time has come to make the switch for the DHCP Server over to K...