Lab 5: ADDS and Group Policy - Hsanokklis/2023-2024-Tech-journal GitHub Wiki
Objectives
- Create an Organizational unit (OU) in our domain
- Create a group policy that enforces various options
- Apply settings to the groups and computers in the newly created OU
An OU is a container within a Microsoft windows AD domain that can hold users, groups and computers. It is the smallest unit to which an admin can assign group policy settings or account permissions.
OU Structure Creation
Go to "Active Directory Users and Computers
- Go to server manager
- Go to local server
- Go to tools
This is Active Directory Users and Computers
Create an Organizational Unit (OU) called "SYS255"
within this OU we will add child OU's for Accounts, Computers, and Groups.
Here is the SYS255 OU
We can now create objects within the OU such as:
- Users
- Groups
All of these objects are whats known as Schema which can be thought of as an instruction sheet/map listing all available pieces in AD.
Make three more OU's under the SYS255 OU (Accounts, Computers, and Groups)
Create Users and Groups
Create three users in the accounts OU: alice, bob and charlie
TROUBLESHOOTING
The passwords have to be complicated, that includes no dictionary words. I used a random password generator to get a password that actually worked because I was using too many dictionary words in mine
- alice
password: =3>a2"A)l1to8Xe make sure "user must change password at next logon" is unchecked (not good practice but makes this lab easier
- bob
password: =3>a2"A)l1to8Xe make sure "user must change password at next logon" is unchecked (not good practice but makes this lab easier
- charlie
password: =3>a2"A)l1to8Xe make sure "user must change password at next logon" is unchecked (not good practice but makes this lab easier
The successful creation of the 3 users within SYS255/Accounts
drag WKS01 from the yourname.local\Computers Folder to the SYS255\Computers OU.
This will allow us to treat SYS255 OU Computers differently than others.
wks01 in hannelore.local/computers
wks01 in SYS255/Computers
Within the SYS255\Groups OU, add a global security group called custom-desktop
Add alice and bob to the custom-desktop group
- go to "custom-desktop properties"
- go to "members"
- go to add
You can add the users name and press "check name" for your system to check to see if they recognize the user
Make sure you press apply once you are done adding your users
Here are bob and alice successfully added to the custom-desktop group
Group Policy - User
create a group policy that defines some User level settings
- go to tools
- go to Group Policy Management
HELPFUL INFO: group policy window does not show the contents of an OU like accounts and computers, but allows you to apply policy to them.
There is already a default domain policy for the SYS255 OU. This is what controls default password expiration and complexity requirements.
Creating a User Policy
Select the SYS255 OU and create a new group policy object (GPO) called sys255-desktop
right click on the new GPO and click edit
SYS255-desktop Group Policy should only apply to those users in this OU who are members of the custom-desktop security group.
You set this using the security filters section of the group policy.
By default, All Authenticated Users have access to apply and read group policy, we will restrict this through the following steps.
Step 1. Add the custom-desktop group created earlier to the Security Filter
Step 2. Remove Authenticated Users from the Security Filter.
Step 3. Add Domain Computers
Step 4. Delegation tab -> Advanced (Uncheck Apply Group Policy, Select Deny)
Nuking the Recycle Bin
defined who this policy applies to, author what the group policy does
Find the Remove Recycle Bin icon setting under User Configuration, and click Edit Policy Setting in the group policy editor.
Enable the Remove Recycle Bin Icon from Desktop settings
Deliverable 1. Login to WKS01 as Alice, and your desktop should not include the Recycle Bin. Provide a screenshot showing both your VM name, the lack of Recycle Bin, and the results of gpresult /r (using Alice's account).
Creating a computer policy
Computer policies are applied before login and affect the entire system and thus any logged in users.
Disable Last Login
Create and Link a new GPO within the SYS255\Computers OU called DisableLastLogin.
The Security Filter on this policy should be applied to Domain Computers (not Authenticated Users).
Edit the policy so that the "Do not display last user name" is enabled.
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> 'Interactive logon: Don't display last signed-in' to 'Enabled'
Deliverable 2: On WKS01, from an elevated domain administrative command prompt, issue the following commands:
- gpupdate /force
- gpresult /scope computer /r
- Provide a screenshot showing the DisableLastLogin Policy was applied.
TROUBLESHOOTING: I could not figure out my admin login so here it is for future reference.
- password: redacted (you know the pw)
- Command
gpupdate /force
- Command
gpresult /scope computer /r
Deliverable 3. Sign out of WKS01, and provide a screenshot showing the changes to the login screen. You should no longer see evidence of the last user who had logged in.
Deliverable 4: For your Tech Journal Entry - Create a detailed plan of how to prepare for next week’s assessment. This plan should include a Current Network Diagram (example tool: https://app.diagrams.net) containing at least devices, hostnames, IPs, services, and “cabling”.
https://github.com/Hsanokklis/2023-2024-Tech-journal/wiki/Preparation-for-EXPLOSION