When you think about it,
traditional home-based Windows PCs are unmanaged in the sense that
there’s no central oversight available, either by the head of a
household or a central server. This type of computing, which has been
formally described as workgroup computing makes a certain amount of
sense at home, where each PC is an island of functionality onto itself.
In the workplace, however, especially at mid-sized businesses and
enterprises where there can be hundreds or thousands of PCs, the
go-your-own route doesn’t actually make any sense. Corporations need a
central way to manage users, PCs, devices, and other entities, and ways
to secure and update their computing products. They need what’s called
a managed solution.
The most popular managed solution for businesses
is called Active Directory, or AD. It requires a centralized Windows
Server infrastructure and uses Group Policy to establish rules for its
computing services. While AD and Group Policy haven’t made a lot of
headway with smaller businesses—though that could change with the
adoption of these services in cloud-based solutions like Windows Azure,
Office 365, and Windows Intune—it’s the standard at larger businesses.
And chances are, if you’re provided with a PC at work, you’ll be
required to sign in to your AD domain, not just to the PC using a local
account or Microsoft account. Domain joined computers are controlled
via policy, so they can be very restrictive, especially for such things
as application installation and certain system customizations. But
they’re also typically better locked down from a security standpoint
and, when configured properly, allow you to access your company’s
secure network resources, even while working remotely.
Domain join works in Windows 8 as it did in
previous Windows versions. If your Windows 8 PC hasn’t been
pre-configured with your user account, you can sign in to the domain in
two ways: from the lock screen or through the Advanced System
Properties control panel.
To sign in to your domain from the lock screen, select Other user. Then, in the screen shown in Figure 1, you must provide your domain, username, and password credentials.
This sign-in must take a specific form, like domain\username or username@domain, in the username field. (Your employer will provide the domain name.) Assuming the domain name is mydomain.com and the username is paul, the username would then be mydomain\paul or [email protected].
Alternatively, you can connect to your domain
first from a local (or Microsoft) account using the Advanced System
Properties control panel. You might use this method if you wanted to
access your work account from your own home PC, for example, though
again your workplace would likely provide you with additional tools
(such as a VPN) or information for making the connection.
First, of course, you must find Advanced System Properties. The easiest way is to use Start Search from the Start screen, type advanced system, and
then choose Settings from the Search bar. In the search results list,
select View advanced system settings. You’ll see a window like the one
in Figure 2. (If not, navigate to the Computer Name tab.)
To sign in to your domain, click Change. In the
Computer Name/Domain Changes window, enable Domain and type your fully
qualified domain name (yourdomain.com)
in the Domain field. (Again, this will be supplied by work.) Then, in
the dialog that appears, type your username only (for example, paul, and not mydomain\paul)
and password. You’ll be prompted to log off and then sign in with the
new domain account. Here, again, you’ll need to use either the domain\username or [email protected] syntax for the username (for example, mydomain\paul).
When you sign in with a domain, Windows 8 works
largely as it does otherwise, aside from whatever policy-based
limitations your corporation has applied. Two obvious areas of
difference include the new Metro-style Mail app : When you run this app, you may be required to accept the
workplace’s more stringent Exchange ActiveSync (EAS)-based policy, as
you can see in Figure 3. This requirement exists outside of whatever domain-based policies you may have in place as well.
Likewise, the User Account control panels work differently with a domain.
Better Together
As is the case with each new version of
Windows, Windows 8 comes with a number of new group policies that help
administrators control new features that are specific to Windows 8.
Some of these policies are Windows 8-specific, so they don’t require a
certain version of Windows Server. This means they can be used with
older versions of Windows Server, like Windows Server 2008 R2. Others
are related to technologies that also require Windows Server 2012, the
Server version of Windows 8. These products can work in tandem to
deliver certain technologies in truly modern workplaces. Suffice to
say, that’s pretty rare.
Domain users are probably familiar with the
myriad of ways in which their corporate overlords can control their
computing experience. And in each new version of Windows, Microsoft
adds to these capabilities, which are exposed through a technology
called Group Policy, part of Active Directory. To give you a taste of
what to expect, Table 1 highlights some of the over 150 new Windows 8-specific policies that have been added to Group Policy.
Table 1: Top New Windows 8 Group Policies
|
Allow all trusted apps to install
|
Manage the installation of app packages that do not originate from the
Windows Store. When enabled, you can install any trusted app.
|
|
Do not display the lock screen
|
Controls whether the lock screen appears for users. If enabled, users will see their user tile after locking their PC.
|
|
Turn on PIN sign-in
|
Controls whether a domain user can sign in
using a numeric PIN. If disabled or not configured, a domain user can’t
set up and use a PIN.
|
|
Turn off picture password sign-in
|
Controls whether a domain user can sign in
using a picture password. If disabled or not configured, a domain user
can’t set up and use a picture password.
|
|
Turn off switching between recent apps
|
If enabled, users will not be allowed to
switch between recent apps and the App Switching option in PC Settings
will be disabled.
|
|
Windows To Go Default Startup Options
|
Controls whether the PC will boot to Windows
To Go if a USB device containing a Windows To Go workspace is
connected, and controls whether users can make changes using the
Windows To Go Startup Options control panel item.
|
|
Turn off File History
|
Allows you to turn off File History. If
enabled, File History cannot be activated to create regular, automatic
backups. Otherwise, File History can be activated.
|
|
Turn off access to the Store
|
Specifies whether to use the Store service
for finding an app or application to open a file with an unhandled file
type or protocol association.
|
|
Turn off the Store application
|
Denies or allows access to the Windows Store app. If enabled, access to the Windows Store application is denied.
|
|
Turn off app notifications on the lock screen
|
Allows you to prevent app notifications from appearing on the lock screen.
|
|
Do not sync
|
This turns off and disables the “sync your
settings” switch on the “sync your settings” page in PC Settings. If
enabled, “sync your settings” will be turned off, and none of the “sync
your setting” groups will be available. Note: Additional related
policies let you control syncing of app settings, passwords,
personalization, other Windows settings, browser settings, desktop
personalization, and more.
|
|
Prevent users from uninstalling applications from Start
|
If enabled, users cannot uninstall apps from Start.
|
|
Allow Secure Boot for integrity validation
|
Configures whether Secure Boot will be
allowed as the platform integrity provider for BitLocker operating
system drives. Secure Boot ensures that the PC’s pre-boot environment
only loads digitally signed firmware.
|
|
Configure Windows SmartScreen
|
Manages the behavior of Windows SmartScreen.
|
|
Start Windows Explorer with ribbon minimized
|
This policy setting allows you to specify
whether the ribbon appears minimized or in full when new File Explorer
windows are opened.
|
|
Set Cost
|
Configures the cost of Wireless LAN
connections on the local machine. If enabled, a drop-down list box
presenting possible cost values will be active. Selecting one of the
following values from the list will set the cost of these connections.
(There are related policies, Set 3G Cost and Set 4G Cost, for cellular
data connections.)
|
|
Turn off tile notifications
|
If enabled, apps and system features will not be able to update their tiles and tile badges in the Start screen.
|
|
Turn off toast notifications
|
If enabled, apps will not be able to raise toast notifications. (This policy does not affect taskbar notification balloons.)
|
|
Turn off toast notifications on the lock screen
|
If enabled, apps will not be able to raise toast notifications on the lock screen.
|
