Domain Group Policy - VBychkov-boop/Spring-SYS265-Final-Project GitHub Wiki

DFS Group Policy - DFS Profile + Home Directory Redirection

DFS Share Setup

Create Directory on DFS01-B1

$ProfilesPath = "C:\DFS\Profiles"
$HomePath     = "C:\DFS\Home"

New-Item -ItemType Directory -Path $ProfilesPath -Force
New-Item -ItemType Directory -Path $HomePath -Force

Create SMB Shares

New-SmbShare -Name "Profiles$" -Path "C:\DFS\Profiles" -FullAccess "Domain Admins" -ChangeAccess "Authenticated Users" -FolderEnumerationMode AccessBased

New-SmbShare -Name "Home$" -Path "C:\DFS\Home" -FullAccess "Domain Admins" -ChangeAccess "Authenticated Users" -FolderEnumerationMode AccessBased

New-SmbShare -Name "DFS" -Path "C:\DFS\Root" -FullAccess "Domain Admins" -ChangeAccess "Authenticated Users"

# Verify that it went through
Get-SmbShare | Where-Object { $_.Name -match "Profiles|Home|DFS" }

Set NTFS Permissions

# Profiles permissions
$ACL = Get-Acl "C:\DFS\Profiles"
$ACL.SetAccessRuleProtection($true, $false)
$ACL.AddAccessRule([System.Security.AccessControl.FileSystemAccessRule]::new("Domain Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow"))
$ACL.AddAccessRule([System.Security.AccessControl.FileSystemAccessRule]::new("SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow"))
$ACL.AddAccessRule([System.Security.AccessControl.FileSystemAccessRule]::new("Creator Owner","FullControl","ContainerInherit,ObjectInherit","InheritOnly","Allow"))
$ACL.AddAccessRule([System.Security.AccessControl.FileSystemAccessRule]::new("Authenticated Users","AppendData","None","None","Allow"))
Set-Acl -Path "C:\DFS\Profiles" -AclObject $ACL

# Home permissions (same rules)
$ACL = Get-Acl "C:\DFS\Home"
$ACL.SetAccessRuleProtection($true, $false)
$ACL.AddAccessRule([System.Security.AccessControl.FileSystemAccessRule]::new("Domain Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow"))
$ACL.AddAccessRule([System.Security.AccessControl.FileSystemAccessRule]::new("SYSTEM","FullControl","ContainerInherit,ObjectInherit","None","Allow"))
$ACL.AddAccessRule([System.Security.AccessControl.FileSystemAccessRule]::new("Creator Owner","FullControl","ContainerInherit,ObjectInherit","InheritOnly","Allow"))
$ACL.AddAccessRule([System.Security.AccessControl.FileSystemAccessRule]::new("Authenticated Users","AppendData","None","None","Allow"))
Set-Acl -Path "C:\DFS\Home" -AclObject $ACL

# Grant Administrator access (required after removing inheritance)
takeown /f "C:\DFS\Profiles" /r /d y
takeown /f "C:\DFS\Home" /r /d y
icacls "C:\DFS\Profiles" /grant "Administrator:(OI)(CI)F" /T
icacls "C:\DFS\Home" /grant "Administrator:(OI)(CI)F" /T
icacls "C:\DFS\Profiles" /grant "Domain Admins:(OI)(CI)F" /T
icacls "C:\DFS\Home" /grant "Domain Admins:(OI)(CI)F" /T


## Set NTFS Permissions on shared folder

```Powershell
icacls "C:\DFS\Shared" /grant "GroupB1\W1-User:(OI)(CI)F" /T
icacls "C:\DFS\Shared" /grant "GroupB1\W2-User:(OI)(CI)F" /T

DFS NameSpace Configuration

  • Install DFS Roles
Install-WindowsFeature FS-DFS-Namespace -IncludeManagementTools
Install-WindowsFeature FS-DFS-Replication -IncludeManagementTools


```Powershell
#Start and set to automatic to make it easier
Start-Service Dfs
Set-Service Dfs -StartupType Automatic

Create DFS Namespace and folderlinks

Small note: I used dfsutil instead of New-DfsmRpt to avoid WMI/CIM errors

dfsutil root addstd \\DFS01-B1\DFS "DFS Namespace"

dfsutil link add \\DFS01-B1\DFS\Profiles \\DFS01-B1\Profiles$
dfsutil link add \\DFS01-B1\DFS\Home \\DFS01-B1\Home$
dfsutil link add \\DFS01-B1\DFS\Shared \\DFS01-B1\Shared

# Verify
dfsutil root \\DFS01-B1\DFS

Create User Home Directories

New-Item -ItemType Directory -Path "C:\DFS\Home\W1-User" -Force
New-Item -ItemType Directory -Path "C:\DFS\Home\W2-User" -Force

icacls "C:\DFS\Home\W1-User" /grant "GroupB1\W1-User:(OI)(CI)F" /T
icacls "C:\DFS\Home\W2-User" /grant "GroupB1\W2-User:(OI)(CI)F" /T

# Verify
Get-ChildItem "C:\DFS\Home"

Active Directory Setup

Create organizational Units

  • Run this on DC01-B1
New-ADOrganizationalUnit -Name "W1-Users" -Path "DC=GroupB1,DC=local" -ProtectedFromAccidentalDeletion $false
New-ADOrganizationalUnit -Name "W2-Users" -Path "DC=GroupB1,DC=local" -ProtectedFromAccidentalDeletion $false

# Verify
Get-ADOrganizationalUnit -Filter * | Select-Object Name

Set Home directory and roaming profile paths

Set-ADUser -Identity "W1-User" -HomeDirectory "\\DFS01-B1\DFS\Home\W1-User" -HomeDrive "H:"
Set-ADUser -Identity "W2-User" -HomeDirectory "\\DFS01-B1\DFS\Home\W2-User" -HomeDrive "H:"

Set-ADUser -Identity "W1-User" -ProfilePath "\\DFS01-B1\DFS\Profiles\W1-User"
Set-ADUser -Identity "W2-User" -ProfilePath "\\DFS01-B1\DFS\Profiles\W2-User"

# Verify
Get-ADUser -Filter { Name -like "W*-User" } -Properties HomeDirectory, ProfilePath | Select-Object Name, HomeDirectory, ProfilePath

Create and Link profile GPOs

Import-Module GroupPolicy

New-GPO -Name "W1-ProfilePolicy" -Comment "Redirects W1 profiles and home dirs to DFS"
New-GPO -Name "W2-ProfilePolicy" -Comment "Redirects W2 profiles and home dirs to DFS"

New-GPLink -Name "W1-ProfilePolicy" -Target "OU=W1-Users,DC=GroupB1,DC=local" -LinkEnabled Yes
New-GPLink -Name "W2-ProfilePolicy" -Target "OU=W2-Users,DC=GroupB1,DC=local" -LinkEnabled Yes

On workstations, run

gpupdate /force

Also run on EACH Workstation:

On W01-B1 as W1-User

net use H: \\DFS01-B1\DFS\Home\W1-User /persistent:yes

On W02-B1 as W2-User

net use H: \\DFS01-B1\DFS\Home\W2-User /persistent:yes

Shared DFS folder

Navigate to

\DFS01-B1\DFS\Shared

And drop any test file in there to test if you can see it from the other workstations.

Create RDP GPO

New-GPO -Name "RDP-Policy" -Comment "Allows W1 and W2 to RDP between each other"

Set-GPRegistryValue -Name "RDP-Policy" -Key "HKLM\System\CurrentControlSet\Control\Terminal Server" -ValueName "fDenyTSConnections" -Type DWord -Value 0

Set-GPRegistryValue -Name "RDP-Policy" -Key "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -ValueName "UserAuthentication" -Type DWord -Value 1

# Link to computer OU
New-GPLink -Name "RDP-Policy" -Target "OU=RDP-Enabled-Computers,DC=GroupB1,DC=local" -LinkEnabled Yes

Invoke-GPUpdate -Computer "W01-B1" -Force -RandomDelayInMinutes 0
Invoke-GPUpdate -Computer "W02-B1" -Force -RandomDelayInMinutes 0