Lab 05 ‐ ADDS and Group Policy - AidanP017/Aidan-SYS-255 GitHub Wiki

Overview

In this lab, we created an organizational unit (OU) in our domain as well as a group policy to enforce various options and apply these settings to newly added groups and computers in the OU.

How to Create an Organizational Unit in AD01

To create an organizational unit in AD01, take the following steps:

  • Open Server Manager.
  • Select "Tools" at the top-right corner of the dashboard.
  • Select "Active Directory Users and Computers".
  • Right-click on your domain on the left-hand side and select New > Organizational Unit.
  • Assign a name to the organizational unit and click "OK".
    • In this case, the name would be "SYS255".
  • Within this organizational unit, add sub-organizational units titled "Accounts", "Computers", and "Groups".
    • Note: In the event that you accidentally choose to protect the organizational units from accidental deletion, select the View tab and check "Advanced Features". Then, navigate to the OU's Properties > Object > Uncheck where it says "Protect object from accidental deletion".

How to Create a New User Within an Organizational Unit in AD01

To create a new user within an organizational unit in AD01, take the following steps:

  • Right-click on the organizational unit and navigate to New > User.
  • Specify the First Name and User Logon Name.
  • Click Next.
  • Assign a password to the user.
    • If desired, check the box that says "User must change password at next logon".
  • Click Next.
  • Review the information and click Finish.

Drag your WKS01 to SYS255 > Computers as this will allow users to treat the SYS255 OU computers in a different manner.

How to Create a New Global Security Group Within an Organizational Unit in AD01

To create a new global security group within an organizational unit in AD01, take the following steps:

  • Right-click on the Groups OU within SYS255 and navigate to New > Group.
  • Specify a name for the group.
  • Make sure the group scope as specified as "Global" and the group type is specified as "Security".

To assign members to the new group, take the following steps:

  • Open the Properties for the new group.
  • Select the Members tab.
  • Select Add.
  • Add the users that you want to assign to the new group by typing their name in the "Enter the object names to select (examples):" box and checking their names. Then, select OK.
  • Click Apply, then click OK to save your changes.

How to Create and Configure a New Group Policy in AD01

To create and configure a new group policy in AD01, take the following steps:

  • In the Server Manager Dashboard, select Tools at the top and select Group Policy Management.
  • Navigate to the directory within Domains that is associated with SYS255.
  • Right-click on SYS255 and select "Create a GPO in this domain, and Link it here...".
  • Specify a name for the GPO and click OK.
  • Select the new GPO from SYS255.
  • Under the Security Filtering tab, add the new global security group in a manner similar to assigning members to the group earlier on.
  • Remove the Authenticated Users from the Security Filtering tab.
  • Add the domain computers by typing "Domain Computers" into the box in Security Filtering > Add....
  • In the Delegation tab above, select "Advanced..." and deny "Apply group policy".
  • Select Apply, then select OK to save your changes.

How to Nuke the Recycle Bin in AD01

To nuke the recycle bin in AD01, take the following steps:

  • Right-click on the GPO and select "Edit...".
  • Navigate to User Configuration > Policies > Administrative Templates... > Desktop.
  • In the right-hand tab, locate "Remove Recycle Bin icon from desktop".
  • Right-click on the setting and click Edit.
  • Check the Enabled box.
  • Click Apply, then click OK to save your changes.
    • Note: To verify the group policy, open Windows Powershell and enter the command gpresult /r logged on as one of the user accounts created earlier.

How to Create a GPO in AD01 that Disables Last Logons for a Computer System

To create a GPO in AD01 that disables last logons for a computer system, take the following steps:

  • In the Group Policy Management settings, navigate to the Computers OU within SYS255.
  • Right-click on the Computers OU and select the option to create a GPO.
  • Name the GPO "DisableLastLogin" and select OK.
  • Add the domain computers and remove the authenticated users from the Security Filtering tab within the GPO as performed earlier.
  • Enter the Edit settings for the GPO and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  • In the right-hand tab, enable the policy that says "Interactive logon: Don't display last signed-in".

Next Week's Assessment

For next week's assessment, we will be required to build a subset of the Week 5 VM environment on our own within a day. In order to prepare for this, I think that the best course of action would be to review information and processes from the labs preceding Week 5, mainly:

  • Configuring my firewall (FW01).

    • Setting network adapters.
      • em0 = WAN
      • em1 = LAN
    • pfSense
      • Hostname: fw01-yourfirstname
      • Domain: yourfirstname.local
      • Primary DNS: 8.8.8.8
      • Remember to uncheck "Block private networks from entering via WAN".

  • Configuring DNS and Group Policies (AD01)

    • WKS01 should be able to ping champlain.edu via FW01 at 10.0.5.2.
    • Change network adapter to LAN on AD01.
    • Network & Internet Settings
      • Set IP Address: 10.0.5.5
      • Set Subnet Mask: 255.255.255.0
      • Set Default Gateway: 10.0.5.2 (make sure that FW01 is running)
      • Set DNS: 10.0.5.2
    • Computer name should be set to ad01-yourfirstname.
    • Reboot the system.
    • Use a command or powershell prompt to verify the change in hostname.
      • Command: whoami
    • Server Manager
      • Ensure that the ADDS Role is installed.
        • Add Roles and Features
      • Promote the server to a domain controller.
      • Create a new forest and name it "yourfirstname.local".
      • Invoke DNS Manager from the DNS context menu.
        • Create a Forward Lookup Zone by creating a new host (A) named "fw01-yourfirstname" with IP 10.0.5.2 and update the associated pointer (PTR) record.
        • Create a Reverse Lookup Zone for all IPs in the 10.0.5.0/24 network by right-clicking it and selecting "New Zone...".
        • Add a network ID of 10.0.5 and create a new PTR record from the A record of fw01-yourfirstname and ad01-yourfirstname.
      • Active Directory Users and Computers
        • Add a new administrator user for the domain (firstname.lastname-adm).
        • Add a new non-administrator user for the domain (firstname.lastname).
    • Set WKS01's DNS to 10.0.5.5 (AD01's address).
    • Ping the domain to ensure connectivity.
    • Add WKS01 to the domain.
    • Create Organizational Units.
      • Create users and groups within OUs.
      • Create and configure new group policies (GPOs).

  • Configuring DHCP (DHCP01)

    • Edit the network settings using the NMTUI.
    • Add a privileged user in the CentOS command line and set their password.
      • Commands: useradd, passwd
    • Add a new group in the CentOS command line.
      • Command: groupadd
    • Add the user to the group.
      • Command: usermod -aG
    • Change a user's file and directory permissions.
      • Command: chmod
    • Access DHCP01 remotely from WKS01 via SSH.
    • Edit text using Vim or Nano.
    • Enable DHCP services.
      • Commands: systemctl start dhcpd, systemctl enable dhcpd
    • Configure the firewall to allow incoming DHCP requests.
    • Release and renew the current DHCP.
      • Commands: ipconfig /release, ipconfig /renew, ipconfig /all
    • Change the default lease time for DHCP clients as desired.
    • Disable root user access to DHCP as desired.