Milestone 10 User and Service Provisioning - Oliver-Mustoe/Oliver-Mustoe-Tech-Journal GitHub Wiki

This page journals content related to NET/SEC/SYS-480 milestone 10.

Table of contents

VM Inventory

10.1 Users and Groups

First I generated a list of ~150 named users and groups (used Game of Thrones characters and their respective houses.) I did this by asking ChatGPT to generate 50 or so at one time and combining the list. After it was finished I would make sure the 2 column headers were 'Name' and 'Group for names and respective houses.

Installed I would then use my install-windows-ansible.sh script to install the new dependencies I needed:

bash install-windows-ansible.sh

I then deployed the 2 new VMs I would need (fs-blue1 and wks01-blue1) into the 'BLUE1' folder. Command directly below:

# Changed network adapter to 'BLUE1', did not turn on
Deploy-Clone -LinkedClone -VMName server.2019.core.base -CloneVMName fs-blue1 -defaultJSON ./480.json -Location BLUE1
Deploy-Clone -LinkedClone -VMName desktop.windows10.ltsc.base -CloneVMName wks01-blue1 -defaultJSON ./480.json -Location BLUE1

Then I made a new inventory file to include the domain, file server, and workstation named windows-m10.yaml:

Afterwards made a python script to add a extra column to the generated csv that contains user passwords named csv-password-generator.py:

python3 csv-password-generator.py -i <PATH_OF_CSV> -o <WHERE_NEW_CSV_SHOULD_BE_PLACED>

NOTE: Run you will see below is of example data, it was NOT used in my environment. This is done below for tech journaling purposes ONLY. I have explicitly marked each of the files to be used in the ansible script to end with ".vault" (as seen in the yaml inventory) which are the files actually used!

Example run of the python script on a newly created (example) csv file in SEC-480/ansible/files/windows. Command directly below:

python3 csv-password-generator.py -i userandgroups.csv.example -o usersandgroupsandpasswords.csv.example

CSV with no password:

Outputted CSV with a password column:

I would also make a separate file containing just the groups as to make group related actions (creation, file shares) faster (example):

My created inventory would reflect these 2 files inside a variables for easy defining. Would need to change the values for 'csv_path' and 'group_csv_path' in the inventory to point towards the outputted file after running above python script on an example CSV/the separated group file:

^ Above also is using the '.vault' syntax as that is what I used in my enviro. If I was using the example files outlined in this tech journal the 'vault' would be replaced by 'example'!

Then I ran my ansible script named windows-user-groups.yml to create the users and groups. Output is truncated due to length of the user/group creation output and is edited to hide highly sensitive information. Command directly below:

ansible-playbook windows-user-groups.yml --ask-pass -K -i inventories/windows-m10.yaml

Output:

image

10.2 File Services

I would first boot up the file server and set the IP with the following command:

Edit-WVMIP -vm fs-blue1 -ethernetname Ethernet0 -ip 10.0.5.6 -mask 255.255.255.0 -gateway 10.0.5.2 -nameserver 10.0.5.5 -defaultJSON ./480.json

Then I ran an Ansible script named windows-file-server.yml to deploy the drive-maker.ps1 file which creates a mapped drive GPO (gives each group specified in the domain one mapped drive to a file share) on dc-blue1. The rest of the Ansible playbook sets up the file server (fs-blue1) itself (adds to domain, creates file shares.) Overall output is truncated for length. Command directly below:

ansible-playbook windows-file-server.yml --ask-pass -K -i inventories/windows-m10.yaml

10.3 Windows 10

Added the workstation (wks01-blue1) to the domain with the Ansible playbook named windows-domain-add.yml command:

ansible-playbook windows-domain-add.yml --ask-pass -K -i inventories/windows-m10.yaml

^ NOTE: Above is the second time the workstation was added to the domain, first time the Ansible script did not end as it did not get that the system had rebooted (a problem I have encountered working with Ansible on Windows a few times.)

Below shows a users login session where it is seen that the host was added to the domain and that it has access to it's groups network share:

Reflection for Milestone 10

I learned A LOT about how GPO's work in Active Directory, particularly how the GPO contains information and the registry values associated with it. Another thing I learned was how to use Ansible loops, which were pretty. The 2 scripts that I made also will come in handy in the future. The python script to add a passwords column may be useful in later testing. The script to create the GPO may also be useful in a scenario in which I need to make mapped drives in a GPO for a few groups. I have wanted to dive deeper into GPOs for awhile, particularly for scripting, so this was a good introduction. This class overall has been really fun and informative for me about many topics, like vCenter and Powercli, and I am excited to see what I can do with my added knowledge!

Troubleshooting

  • Dont know how to make the GPO automatically
  • Can create and link GPO with a powershell command, don't know how to then populate drive
  • There is a Drive.xml file in the GPO section that houses data for drives, going to try to automate that
  • Added a Windows desktop to the domain and added RSAT tools to create a GPO to test
    • Installed all RSAT tools with Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
    • MAKE SURE THE DNS RECORD FOR THE FILE SERVER IS SET CORRECTLY
  • Inserting into the XML with a new entry works, the following is the formatting for the entire file (only things changing are uid, path, and filtergroup name and sid)
  • (clsid is always the same !!!)
  • Made a powershell script to automatically make a GPO, add the Drives folder and Drives.xml file, create the needed xml content, and add it to the xml file. Works but requires the workstation to be restarted (possibly not if it has not joined the domain at the time of running the script?)
  • Script wasnt working, but it did work if I updated the one of the drives
  • Generating a report using Get-GPOReport, seeing that the gpo isnt detecting the drives even though it does exist
  • Have found that the gPCUserExtensionNames that is on the object itself is apart of the problem (below shows me getting one of my GPO tests as an object, trying to get the extensions, and the final line is once I went into one of the drives and edited it)
  • By adding the extension names allows the specified gpo to see the drive maps in the report now:
  • Also found that the GPT.ini file within the GPO path needs it's the version number incremented by 262144 (seems to do this when adding one drive so multiple in one = one version increment)
  • Working on a test enviro resetting...works on a snapshotted enviro LETS GOOOOOOOOOO

Sources:

⚠️ **GitHub.com Fallback** ⚠️