Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Connect to networks with Windows 8 Group Policy and AD

Administrators need to be careful when connecting Windows 8.1 endpoints to enterprise domains. Windows 8 Group Policy and Active Directory can help.

Every enterprise needs a means of authorizing users, exerting controls and enforcing policies for end users. Windows network domains rely on Active Directory to provide critical services such as password authentication or software update policies.

Consequently, IT administrators must have a clear understanding of the scope of Microsoft 8.1 Active Directory, the range of features supported and the proper requirements for adding a network endpoint to an AD domain. Admins also need troubleshooting acumen to resolve AD connection problems for new or existing users. Let's consider some of the most pressing AD issues for Windows 8.1 computers.

What kinds of endpoint features can an IT administrator control or enforce through Group Policy in Windows 8.1 Enterprise? Is it worth enforcing a Start Screen layout for endpoints?

Admins can apply and enforce a variety of endpoint policies on Windows 8.1 Enterprise systems using Group Policy Objects (GPOs). For example, a desktop admin can open the Local Computer Policy, expand the Computer Configuration node and then drill down to Administrative Templates.

There will be entries for Control Panel, Network, Printers, Server, Start Menu and Taskbar, System and so on. Each of these template entries can be associated with an XML file, which defines available features, layouts and other attributes that control the look and feel of interfaces.

There is no technical requirement that compels organizations to alter Start Screen layouts. The value of defining and enforcing a Start Screen layout depends entirely on the needs and preferences of the host business. Smaller or informal organizations may not find value in applying a predefined layout, while a larger, more formal business might be able to simplify endpoint support by applying a layout that it can define and enforce.

To actually apply a layout, highlight the Start Menu and Taskbar entry under Administrative Templates, then select the Start Screen Layout entry. A dialog box will let admins enable the feature and set the local or network path to an XML file that defines the layout. If the XML file doesn't already exist, you'll need to create it using the Export-StartLayout cmdlet in PowerShell.

What are the prerequisites for connecting a Windows 8.1 device to a domain?

There are a few hardware and software considerations when readying a Windows 8.1 system for connection to the enterprise domain. Hardware requirements are relatively straightforward. The endpoint must provide the processor, memory, graphics, storage and other components to support Windows 8.1 and provide wired or wireless connectivity (such as Wi-Fi or an Ethernet port) that is compatible with the enterprise LAN.

Remember that wireless connectivity in an enterprise may require a secure (WPA2) wireless adapter and Wi-Fi password (not the endpoint's logon password) available from the network administrator.

Also, make sure that the endpoint is running the correct edition of Windows 8.1. You'll need to run the Professional or Enterprise editions -- the Basic edition cannot join a domain. This may become an issue for bring your own device (BYOD) environments when end users try to employ a Basic-edition PC brought from home.

In addition, users will need admin-level access to change the computer's settings. If you're using the PC as a guest or do not know the local administrator logon details, it will probably be impossible to configure the PC for the new domain.

Finally, be certain that the organization's IT or network administrator created an account for the computer in Windows 8.1 Active Directory ahead of time. This process defines the network shares and drives that will be available to the user or assigned groups. This is usually no problem since user accounts can be (or already have been) created for all employees.

Once all the requirements are in place, connecting the new endpoint is typically easy. For example, click the magnifying glass icon in the upper right corner of the Windows 8.1 display to open a search dialog. Enter System into the search bar, and then select the System icon that appears in the list of search results.

Locate the Computer name, domain and workgroup settings entry and select Change settings. This is where you may be asked for an administrator password. Now, select Network ID and use the Join a Domain or Workgroup process that appears. Once completed, you'll probably need to restart the computer before logging onto the domain.

What kind of problems can occur when connecting a Windows 8.1 endpoint to a domain?

There are several common issues that can prevent a Windows 8.1 device from joining an enterprise network domain. Most troubleshooting starts by confirming the domain name and verifying that the Join a Domain or Workgroup process used to identify the domain was correct. If you did not reboot successfully or entered incorrect information for the domain name, you can't join the network.

An error message suggesting problems resolving the domain name system (DNS) server means that the server is not available to the endpoint. Open a command shell, and use ipconfig /all to learn about the PC's setup -- especially where it's looking for DNS information. An error here is usually traced to incorrect domain identification during the initial setup, such as a wrong domain name. Admins can also use common tools like ping and nslookup to determine whether firewall or port settings may be interfering with network connectivity.

Next, check the Windows 8.1 computer's TCP/IP adapter settings. For example, open the Control Panel, select the Network and Sharing Center, locate the computer's network adapter and select Change adapter settings.

Look at the property sheet and verify that the DNS details are correct. If the computer is automatically receiving a valid IP address and DNS server address, chances are the problem lies elsewhere. Some organizations may try temporarily disabling the local firewall to see if it may be blocking ports or restricting traffic from the Windows 8.1 PC.

What is sideloading, and how does it affect enterprise Windows 8.1 systems?

In most cases, endpoints download and install applications through the Windows Store or an enterprise app store built on platforms like Windows Intune or System Center Configuration Manager. However, not all companies with their own in-house or line-of-business applications can shoulder the additional burden of creating or maintaining a storefront.

Some organizations may want to restrict the distribution of applications to in-house users only. Sideloading is a mechanism intended to allow organizations to install applications to in-house users without using the Windows Store.

The Windows 8.1 Update enables sideloading for all Windows 8.1 Pro and Enterprise endpoints connected to an AD domain using deployment schemes like Windows PowerShell scripts or the Microsoft Deployment Toolkit (MDT). Sideloaded applications may be accessible to only one user or to all users of any targeted enterprise device.

Users won't need a key or activation to use the sideloaded application. Other volume-licensing organizations, such as an Enterprise Agreement or School Enrollment, can get a sideloading key at no additional cost. But other users not already using Windows 8.1 Pro or Enterprise (or in a suitable volume-licensing program) will need to buy an enterprise sideloading key, which is valid for an unlimited number of devices.

Remember to distribute applications to users inside and outside of the organization because it will be necessary to use the Windows Store.

Active Directory is an essential means of authenticating users, invoking Group Policies and enforcing security on all types of networks and enterprise domains. Admins must understand the requirements for adding Windows 8.1 Professional and Enterprise endpoints to existing domains, setting policies (such as Start Screen Layouts) and accessing applications through sources other than the Windows Store.

It's also important to recognize and resolve some of the varied problems that can occur when connecting Windows 8.1 endpoints to the network. This know-how is even more vital in mixed and BYOD environments where devices use a variety of operating system versions.

Next Steps

Two ways to remotely refresh Windows 8 Group Policy settings

Windows 8.1 Work Folders offer control over cloud file sharing

How to use Active Directory activation and other Office 2013 utilities

Audit for regulatory compliance with third-party AD alternatives

Microsoft entices enterprises with Windows 8.1 security enhancements

FAQ: Why Group Policy settings matter

Windows 8.1 timesavers include boot to desktop

Check the Winlogon component for missing GPO settings

What's new for the enterprise in the Windows 8.1 update?

Understand the nuances of Windows 8 application compatibility

Dig Deeper on Windows 8 and 8.1

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Have you had any problems connecting Windows 8.1 devices to a network? Were you able to overcome them with AD or Group Policy?