A Windows Server 2016 Group Policy walkthrough

Administrators who work with Group Policy will appreciate that the structure hasn't changed in Windows Server 2016, but there are new policies unique to the release worth noting.

Microsoft introduced a lot of new features and capabilities in Windows Server 2016, but group policies remain largely unchanged from the previous version. Although Microsoft has presumably introduced some Windows Server 2016- and Windows 10-specific Group Policy settings, the overall group policy structure hasn't changed.

Group Policy allows Active Directory administrators to set up configurations for users and machines on the network. Examples of Windows Server 2016 Group Policy settings include setting a default Start menu style on Windows client machines or placing a threshold on login attempts before a user account gets locked.

In Windows Server 2016, Group Policy settings still exist for users and computers (Figure 1). These policy settings may be applied at the domain, organizational unit, site or local computer level.

Group Policy Editor
Figure 1: This is the Local Group Policy Editor in Windows Server 2016 Preview 2.

What's changed in Windows Server 2016 Group Policy

What's changed is the way the Group Policy configuration process works. In Windows Server 2016, Microsoft encourages customers to deploy servers with as small of a footprint as possible.

The preferred deployment method does not include a GUI (Figure 2). The descriptive text beneath the installation options explains that you should only install Windows with the local administrative tools if you need backward-compatibility.

How to access the Group Policy Editor

In Windows Server 2016, Microsoft encourages customers to deploy servers with as small of a footprint as possible.

This raises the question of how to access the Group Policy Editor. The method you use will vary depending on the type of installation you have performed. Currently, Windows Server is in its preview release, so things could change by the time it's in general availability. But if you installed the local administrative tools, then accessing the Group Policy Editor is somewhat similar to the method used in Windows Server 2012.

Currently, even an installation that includes the local administrative tools is somewhat bare bones. The interface includes a Command Prompt window and Server Manager, but nothing else. There is no desktop and no Start menu (Figure 3).

Windows Server 2016 tools
Figure 3: This preview release of Windows Server 2016 offers a minimal amount of management.

Finding management tools requires effort

Most of the Windows Server 2012 R2 style management tools still exist, but accessing those tools isn't always intuitive. The Server Manager, for example, includes a link to the Local Security Policy, but not to domain-based group policies. If you want to access the user and computer portion of the local security policy, you will need to switch to the Command Prompt window and navigate to C:\%systemroot%\system32, and then enter the gpedit.msc command to open the Group Policy Editor. (Figure 4).

gpedit.msc command
Figure 4: You can use the gpedit.msc command to launch the Group Policy Editor from the Command Prompt window.

For deployments that do not include local management tools, you will have to either manage the group policies remotely or use PowerShell. If you want to manage Windows Server 2016 Group Policy remotely, then you will need at least one server that has the management tools installed.

From this server, enter the Microsoft Management Console command at the server's command prompt. When the console loads, select the Add or Remove Snap-ins command from the File menu. When you do, Windows will present a list of snap-ins. Choose the Group Policy Object Editor from the list of snap-ins and click Add. You will then be asked which Group Policy to manage. Click the Browse button and then select the desired Group Policy (Figure 5).

Group Policy Object Editor
Figure 5: Click the Browse button and select the group policy to edit.

Making Group Policy changes with PowerShell

The other option is to edit group policies with PowerShell. Windows Server 2012 has an entire PowerShell module dedicated to Group Policy management. However, the Group Policy module is not installed by default. The Group Policy module is only installed if the server was either configured as a domain controller or if the server had the Group Policy Management Console installed.

Microsoft has not yet documented the conditions in which the Windows Server 2016 Group Policy module will be available.

When Windows Server 2016 becomes available, most organizations will probably opt to perform remote management of group policies rather than installing the management tools locally. PowerShell is a viable option, as well, but GUI-based management tools tend to be more efficient for small scale tasks.

Next Steps

Get back to basics and learn how Active Directory works

Find out how Active Directory differs from Azure Active Directory

Use PowerShell to manage groups in Active Directory

Dig Deeper on Microsoft identity and access management

Cloud Computing
Enterprise Desktop
Virtual Desktop