Lab 5 ADDS and Group Policy - InaFricke/SYS-255 GitHub Wiki

ADDS and Group Policy

  1. Under local server select
  • tools

-Active directory Users and computers

  • create an organizational unit called "SYS255"

  • within this OU we will add child OU's for Accounts, Computers, and Groups

Notable

now this is created, we can right-click and create users, groups, and other domain objects in Active Directory. All of these objects are defined by what's known as the Schema, which can be thought of as an instruction sheet/map listing all available pieces in AD. In this case, the schema objects make up a distributed database.

Create Users and Groups

  1. In the SYS255\Accounts OU, create users Alice, Bob and Charlie (uncheck password required at first login) (Password32)

  2. Place WKS01 in the computer OU (gives us power over it)

  3. In the SYS255\Groups OU, add a global security group called custom-desktop with users Alice and Bob (not Charlie) as members.

Notable

Many times, organizations will have a number of groups defined in their AD domain. For this reason, it is a best practice to have a naming convention that purposefully describes what the groups do. A lot of times, groups allow or disallow users permission to folders and resources on the network. For this reason, a commonly found group membership is in the form of something like this: DepartmentName_RW_ACL or GP_WindowsIESettings_ACL. This gives administrators an idea of what the group is for, and who may need to be a member.

Group Policy - User

  1. Tools

  • group policy management

  • domains

  • ina.local

  • SYS255

💣Weak Administrator credentials are the root cause for many security breaches!  While the default password complexity rules are good, one should only increase security of credentials.

Creating a User Policy

  1. Select the SYS255 OU and create a new group policy object (GPO) called sys255-desktop.

  2. right click on the object and select Edit.

  3. Add the custom-desktop group created earlier to the Security Filter

spelling matters

  1. Remove Authenticated Users from the Security Filter

  2. Add Domain Computers

  3. Delegation tab -> Advanced (Uncheck Apply Group Policy, Select Deny) (may have messed up?)

Nuking the Recycle Bin

  1. Right-click and select edit

image

  1. apply and ok

Creating a Computer Policy

Unlike User policies that are associated with the logged on user, Computer policies are applied before login and affect the entire system and thus any logged in users.

Disable Last Login

  1. Create and Link a new GPO within the SYS255\Computers OU called DisableLastLogin

DisableLastLogin

The Security Filter on this policy should be applied to Domain Computers (remove Authenticated Users)

  1. edit the policy so that the "Do not display last user name" is enabled.