Introduction

Windows 10 is here.

Alas, Windows 8 and 8.1, we hardly knew ye.

And Windows 9-we just skipped you entirely and jumped ahead to Windows 10.

For people buying this book for the first time, welcome. For people who have bought previous editions and are returning again (or again and again and again)-thank you for coming back.

Group Policy and Active Directory go hand in hand. If you have Active Directory, you get Group Policy.

If you're very new to Group Policy, here's the inside scoop. Group Policy has one goal: to make your administrative life easier. Instead of running around from machine to machine, tweaking a setting here or installing some software there, you'll have ultimate control from on high.

Like Zeus himself, controlling the many aspects of the mortal world below, you will have the ability, via Group Policy, to dictate specific settings pertaining to how you want your users and computers to operate. You'll be able to shape your network's destiny. You'll have the power. But you need to know how to tap into this power and what can be powered.

In this introduction and throughout the first several chapters, I'll describe just what Group Policy is all about and give you an idea of its tremendous power. Then, as your skills grow, chapter by chapter, we'll build on what you've already learned and help you do more with Group Policy, troubleshoot it, and implement some of its most powerful features.

For those of you who are already somewhat Group Policy savvy, there is some good and some bad news (which is the same news): From a Group Policy perspective, Windows 10 is not radically different from its Windows 7 or Windows 8 siblings.

Ironically, Group Policy's innards did get the most recent update between Windows 8 and Windows 8.1, and those carry forward to Windows 10. I'll explain these when the time comes, so you can understand the behavior changes. Take a look at Table I-1 for how the Windows Group Policy engine evolved when the internal version number changed.

Table I-1: How Windows and Group Policy evolved

Again, Table I-1 shows changes from a "Group Policy guts" perspective and is not necessarily reflective of what you can do (the actions you can perform) with Group Policy.

Knowing what's changed within the Group Policy guts is a dual-edged sword. On the one hand, you could say to yourself, "Awesome! If I'm already an expert at Windows 7 and Group Policy, there's not a huge hill to climb!" And that would be true. On the other hand, it's also true that because Windows 8 through 10 didn't shake things up too much, with regard to Group Policy "guts," there's not a lot of whiz-bang newness to uncover and show off. That being said, the updates in Windows 8.1 (which carry forward to Windows 10) will be covered in Chapter 3.

In a way, I really like the dual-edged sword. I like that there are a variety of new goodies and things you can do with Group Policy for Windows 10, some interesting updates, but not a radical head-spinning change. I like the fact that what is already working in practice doesn't change that much. I like knowing that the time already invested in getting smarter in Group Policy isn't for nothing, and you and I won't have to relearn everything we ever knew all over again.

So, even though the "guts" haven't changed all the much, there's always new "stuff" you can accomplish with Group Policy as each operating system comes out.

As you likely already know, Group Policy is, at its heart, an "on-prem" system for management. Isn't this antithetical to Microsoft's new battle cry of "Mobile first, cloud first?"

If you want to read Microsoft's own perspective on this, see:

http://news.microsoft.com/2014/03/27/satya-nadella-mobile-first-cloud-first-press-briefing/

Shouldn't Group Policy get a huge overhaul in its underlying technology to align with "Mobile first, cloud first?"

Perhaps it doesn't need it. Because Group Policy is, by its very nature, extensible, we can extend Group Policy to the cloud when needed if paired with (at least two) "add-ons." Microsoft DirectAccess (beyond the scope of this book, but briefly touched upon in Chapter 3) enables Windows machines to act as if they are always connected on-premise, even though they might be over the Internet at a coffee shop. That being said, DirectAccess only works with the more pricey Enterprise version of the Windows client.

PolicyPak Cloud (demonstrated in Chapter 3 and "name dropped" throughout the book) can take existing Group Policy directives and get them to the cloud for use on traveling and even non-domain-joined machines. PolicyPak Cloud works with any version of Windows and isn't limited to the more pricey Enterprise version.

If you've done some work already with Group Policy, you might notice that it could be described as various components under one roof; it roughly breaks down as follows:

• Group Policy Administrative Templates
• Group Policy Security Settings
• Group Policy Preferences
• Everything else, including third-party extensions

With all that power, and extendibility, Group Policy continues to stay not just relevant but, indeed, central to any Active Directory administrator's tool belt of required knowledge.

And because Group Policy is extensible, it can keep working in a "Mobile first, cloud first" world.

Group Policy Defined

If we take a step back and try to analyze the term Group Policy, it's easy to become confused. When I first heard the term, I didn't know what to make of it.

I asked myself, "Are we applying 'policy' to 'groups'? Is this some sort of old-school NT 4 System Policy applied to Active Directory groups?"

Turns out, "Group Policy" as a name isn't, well, excellent. At cocktail parties, when I tell the person next to me that I teach, write about, and make software to extend Group Policy, they don't get what "Group Policy" means.

If I said something like "I teach databases," he would cheerfully go back to his scotch and soda and leave me alone. But because I say, "I teach Group Policy to smart people looking to get smarter and build software that hooks into Group Policy," he (unfortunately) wants to know more. He'll say something like "What does that mean? I've never heard of Group Policy before." And while I love talking about Group Policy with you, my friendly IT geeks, at a cocktail party full of stuffed shirts, I just want to get another canapé.

So, the name "Group Policy" can be kind of confusing, but it's also intriguing. Microsoft's perspective is that the name "Group Policy" is derived from the fact that you are "grouping together policy settings." I don't really love the name "Group Policy"-but it's the name we have, so that's what it's called. As Juliet said in Romeo and Juliet (II, ii, 43-44), "What's in a name? That which we call a rose by any other name would smell as sweet."

For me, if I was consulted, I might have named it Windows Policy or Microsoft Policy. But, alas. Group Policy is the name it has.

Group Policy is, in essence, rules that are applied and enforced at multiple levels of Active Directory. Policy settings you dictate must be adhered to by your users and computers. This provides great power and efficiency when manipulating client systems.

Instead of running around from machine to machine, you're in charge (not your users).

When going through the examples in this book, you will play the various parts of the end user, the OU administrator, the domain administrator, and the enterprise administrator. Your mission is to create and define Group Policy using Active Directory and witness it being automatically enforced. What you say goes! With Group Policy, you can set policies that dictate that users quit messing with their machines. You can dictate what software will be deployed. You can determine how much disk space users can use. You can do pretty much whatever you want-it is up to you. With Group Policy, you hold all the power. That's the good news.

And this magical power only works on Windows 2000 and later machines. For the sake of completeness, this includes all versions of Windows 2000 and later: workstation and server. Of course, this includes all the modern Windows systems you would use, like Windows 10 and Windows Server 2016.

I'll likely say this again in multiple places, but I want to get one "big ol' misconception" out of the way right here, right in the introduction. The Group Policy infrastructure does not care what mode your domain is in. If you have only one type of Domain Controller or a...