BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Microsoft introduced a lot of new features and capabilities in Windows Server 2016, but group policies remain largely...
unchanged from the previous version. Although Microsoft has presumably introduced some Windows Server 2016- and Windows 10-specific Group Policy settings, the overall group policy structure hasn't changed.
Group Policy allows administrators of an Active Directory environment to set up configurations for users and machines on the network. Examples of Group Policy settings include setting a default Start menu style on Windows client machines or placing a threshold on login attempts before a user account gets locked.
In Windows Server 2016, Group Policy settings still exist for users and computers (Figure 1). These policy settings may be applied at the domain, organizational unit, site or local computer level.
What's changed in Windows Server 2016 Group Policy
What's changed is the way in which the Group Policy configuration process works. In Windows Server 2016, Microsoft encourages customers to deploy servers with as small of a footprint as possible.
The preferred deployment method does not include a GUI (Figure 2). The descriptive text beneath the installation options explains that you should only install Windows with the local administrative tools if you need backward-compatibility.
How to access the Group Policy Editor
This raises the question of how to access the Group Policy Editor. The method you use will vary depending on the type of installation you have performed. Currently, Windows Server is in its preview release, so things could change by the time it's in general availability. But if you installed the local administrative tools, then accessing the Group Policy Editor is somewhat similar to the method used in Windows Server 2012.
Currently, even an installation that includes the local administrative tools is somewhat bare bones. The interface includes a Command Prompt window and Server Manager, but nothing else. There is no desktop and no Start menu (Figure 3).
Finding management tools requires effort
Most of the Windows Server 2012 R2 style management tools still exist, but accessing those tools isn't always intuitive. The Server Manager, for example, includes a link to the Local Security Policy, but not to domain-based group policies. If you want to access the user and computer portion of the local security policy, you will need to switch to the Command Prompt window and navigate to C:\%systemroot%\system32, and then enter the gpedit.msc command to open the Group Policy Editor. (Figure 4).
For deployments that do not include local management tools, you will have to either manage the group policies remotely or use PowerShell. If you want to manage Group Policy remotely, then you will need at least one server that has the management tools installed.
From this server, enter the Microsoft Management Console command at the server's command prompt. When the console loads, select the Add or Remove Snap-ins command from the File menu. When you do, Windows will present a list of snap-ins. Choose the Group Policy Object Editor from the list of snap-ins and click Add. You will then be asked which Group Policy to manage. Click the Browse button and then select the desired Group Policy (Figure 5).
Making Group Policy changes with PowerShell
The other option is to edit group policies with PowerShell. Windows Server 2012 has an entire PowerShell module dedicated to Group Policy management. However, the Group Policy module is not installed by default. The Group Policy module is only installed if the server was either configured as a domain controller or if the server had the Group Policy Management Console installed.
Microsoft has not yet documented the conditions in which the Group Policy module will be available in Windows Server 2016.
When Windows Server 2016 becomes available, most organizations will probably opt to perform remote management of group policies rather than installing the management tools locally. PowerShell is a viable option, as well, but GUI-based management tools tend to be more efficient for small scale tasks.
Get back to basics and learn how Active Directory works
Find out how Active Directory differs from Azure Active Directory
Use PowerShell to manage groups in Active Directory