SYS‐255 Lab 4 ADDS - aljimenez28/champlain GitHub Wiki

Overview

In this lab, we created and tested Group Policy Objects to manage users and computers inside our domain (alejandra.local). The main goal was to understand how to build OU structures, apply targeted policies, and confirm that they worked for specific users.

Steps Completed

1. OU Structure

  • Created a top-level OU named SYS255.
  • Created three child OUs under SYS255:
    • Accounts
    • Computers
    • Groups

2. Users and Groups

  • Added Alice, Bob, and Charlie to SYS255 → Accounts.
  • Created a security group called custom-desktop in SYS255 → Groups.
  • Added Alice and Bob to the group.
  • Left Charlie out.

3. GPO: sys255-desktop

  • Created and linked a GPO named sys255-desktop to SYS255.
  • Edited the GPO to remove the Recycle Bin from desktops.
  • Removed Authenticated Users from Security Filtering.
  • Added custom-desktop and Domain Computers instead.

4. Testing the Policy

  • Logged into WKS02 as Alice.
  • Confirmed policy applied correctly → Recycle Bin was missing.
  • Logged into WKS02 as Charlie → Recycle Bin still present (as expected).

5. GPO: disablelastlogin

  • Created and linked a GPO named disablelastlogin to SYS255.
  • Navigated to:

Computer Configuration → Policies → Administrative Templates → System → Logon
  • Set Display Last Logon Information at logon to Disabled.

Problems and Solutions

Problem 1: "The sign-in method you are trying to use isn't allowed" when logging in as Alice.

  • Cause: Alice was not allowed to log on at WKS02.
  • Solution: Checked Alice’s properties in ADUC. Confirmed account was enabled and added to Domain Users and custom-desktop group. Ensured WKS02 was joined to alejandra.local.

Problem 2: Confusion removing "Authenticated Users" from Security Filtering.

  • Cause: Unsure where the option was.
  • Solution: Found it under the Scope tab of the GPO in Group Policy Management. Selected Authenticated UsersRemove, then added custom-desktop and Domain Computers.

Problem 3: GPO not applying right away.

  • Cause: Group Policy cache takes time to update.
  • Solution: Ran:
gpupdate /force

on WKS02, then rebooted. This forced the new policies to apply.

Important Commands

  • Force Group Policy Update

    gpupdate /force

  • Check logged in user

    whoami

  • Verify domain join on WKS02

    systeminfo | findstr /B /C:"Domain"

Preparation Plan for Next Week’s Assessment

Since the assessment combines multiple labs, preparation must cover DNS, ADDS, DHCP, Linux configuration, and firewalls. Here’s the plan:

1. Practice Lab 2–5 Steps

  • Lab 2 (ADDS basics): Review OU creation and user setup.
  • Lab 3 (Linux): Be ready to configure static IPs, DNS, and SSH access.
  • Lab 4 (DHCP): Practice editing /etc/dhcp/dhcpd.conf, restarting services, and confirming leases on WKS02.
  • Lab 5 (ADDS GPO): Review GPO creation, security filtering, and testing with specific users.

2. Key Deliverables to Rehearse

  • Screenshots of ipconfig /all, whoami, and tracert.
  • DNS lookups (A and PTR records).
  • DHCP lease verification with /var/log/messages.
  • GPO testing (e.g., missing Recycle Bin).

3. Troubleshooting Checklist

  • If login fails → check user account status and group membership.
  • If DHCP doesn’t issue an address → check dhcpd.conf, restart service, and firewall rules.
  • If DNS lookups fail → confirm A/PTR records exist and clients are pointing to the correct DNS server.
  • If GPO doesn’t apply → run gpupdate /force and verify Security Filtering.

4. Time Management

  • Budget ~3–4 hours per lab step during the assessment.
  • Take screenshots as you go — don’t leave them for the end.
  • Keep a “cheat sheet” of key commands handy.

Conclusion

Lab 5 solidified how Group Policy can target specific groups and OUs. The main takeaway is understanding how to scope policies (Security Filtering + OU linking) and how to test with different users. The troubleshooting during this lab will be directly useful in the assessment.