Server 2016 on your laptop or desktop.
So, just to be clear, the following two ways to create and manage GPOs are equal:
● Windows 10 and the downloadable GPMC (contained within the RSAT tools)
● Windows Server 2016 with its built-in GPMC
I’ll usually just refer to a Windows 10 management station, and when I say that, I mean what I have in that first bullet point. Just remember that you can use a Windows Server 2016 machine as your management station, too.
Now, to be super-crazy, ridiculously clear: you could also use any of the other GPMCs out there, and things will basically “work.” I delve into this in serious detail in Chapter 6, but here’s the CliffNotes, er, JeremyNotes version of “What GPMC should I use?”:
● Always strive to use Windows 10 (or Windows Server 2016) as your management station and you’ll always be able to control all operating systems’ settings from all operating systems. If by the time you read this book, something after Windows 11 is out – use that GPMC. Always use the latest GPMC.
● The next best choice would be Windows 8.1 (with Update 1) and RSAT or Server 2012 R2.
● After that, the next best choice would be Windows 7 or Windows Server 2008 R2, which has “almost” all the same stuff as Windows 8’s GPMC (but not quite).
Everything else would be suboptimal to use.
But if you have even one Windows 10 client machine (say in Sales or Marketing), in order to manage all its settings you’re going to need to manage the machine using a “modern” GPMC. So I’m suggesting you just bite the bullet and get yourself a copy of Windows 10 and do your management from there.
Again, more details later, but here’s the warning. If you create a GPO using a “newer GPMC” (say, using a Windows 10 or Windows Server 2016 GPMC) but then edit it using an older operating system (say, a Windows 7 or XP GPMC), you might not be able to “see” all the configurable options. And what’s worse, some settings might be set (but you wouldn’t be able to see them!). Only the newest GPMC can see the “stuff” that the newest GPMC puts into the GPO.
What if you’re not “allowed” to load Windows 10, 8.1, or 7 on your own management station? Well, you’ve got another option. Perhaps you can create a Windows 10 or Windows Server 2016 machine to act as your management station, say in the server room. Or, use VMware Workstation or another virtualization tool to make an “almost real” management machine. Or, do create a real machine but set up Terminal Services or Remote Desktop to utilize the GPMC remotely.
Again, in our examples we’ll call our machine WIN10MANAGEMENT, but you can use either a Windows 10 or Windows Server 2016 for your best management station experience.
Using a Windows Server 2016 Machine as Your Management Station
The latest GPMC is available in Windows Server 2016. However, it’s not magically installed in most cases. The only time it is just “magically there” is when you make your Windows Server 2008, Windows Server 2008 R2, or Windows Server 2016 machine a Domain Controller. In that case, the GPMC is automatically installed for you. You don’t need to do the following procedure.
And, if you’re following along in the labs, you’ve likely already made your server a Domain Controller. But for practice, if you want to learn how to install it for when your server is not acting as a Domain Controller, there are two ways to install the GPMC: using Server Manager and also by the command line.
To install the GPMC using Server Manager:
1. From the Start screen, select Server Manager.
2. Click Dashboard, then select “Add roles and features.”
3. In the “Add Roles and Features” wizard, you’ll eventually get to the Features screen. Be sure Group Policy Management is selected.
4. Click Install.
Close Server Manager once you’re done.
You can also install the GPMC using the command line:
1. Open a PowerShell prompt as an Administrator.
2. In PowerShell, type Add-WindowsFeature GPMC.
3. Close the command prompt when the installation has been completed.
Using Windows 10 as Your Management Machine
The first step on your Windows 10 management-station-to-be is to install Windows 10.
RSAT comes as a Microsoft Update Standalone Package and installs like a hotfix, and you may or may not need to reboot after installation. At last check, you can download the Windows 10 RSAT from www.microsoft.com/en-us/download/details.aspx?id=45520.
All the tools installed automatically when you install the Update Package. You can see the tools already installed in Figure 1-7.
Once you’re done, close the Windows Features window and, if prompted, reboot your Windows 10 machine. The next time you boot, you’ll have Active Directory Users and Computers, the GPMC, and other tools available for use in the rest of the book.
If you cannot use a Windows 10 management machine and can only use a Windows 8.1 or 7 management machine, then the steps are the same for Windows 7, except the RSAT download is different. The RSAT for Windows 8.1 RSAT can be found at http://tinyurl.com/win81rsat and the Windows 7 SP1 can be found at http://tinyurl.com/win7rsat-sp1.
Figure 1-7: The RSAT tools installed in Windows Features in the Control Panel ⇒ Programs ⇒ “Turn Windows features on or off”
Creating a One-Stop-Shop MMC
As you’ll see, the GPMC is a fairly comprehensive Group Policy management tool. But the problem is that right now the GPMC and the Active Directory Users and Computers snap-ins are, well, separate tools that each do a specific job. They’re not integrated to allow you to work on the idea of Users and Computers and Group Policy at the same time.
Often, you’ll want to change a Group Policy linked to an OU and then move computers to that OU. Unfortunately, you can’t do so from the GPMC; you must return to Active Directory Users and Computers to finish the task. This can get frustrating quickly. But that’s the deal.
As a result, my preference is to create a custom MMC that shows both the Active Directory Users and Computers and GPMC in a one-stop-shop view. You can see what I mean in Figure 1-8.
You might be wondering at this point, “So, Jeremy, what are the steps I need in order to create this unified MMC console you’ve so neatly described and shown in Figure 1-8?”
Just click Start and type MMC at the Search prompt. Then add in both the Active Directory Users and Computers and Group Policy Management snap-ins, as shown in Figure 1-9.
You won’t need the Group Policy Management Editor (which allows you to edit one Group Policy Object at a time), the Group Policy Object Editor (for Local Group Policy), or the Group Policy Starter GPO Editor (which we use in Chapter 2).
Figure 1-8: Use the MMC to create a unified console.