SYS 255 ‐ Lab 5 ‐ ADDS - connor0329/repository-1 GitHub Wiki

What we did in this lab

1. "Organizational Unit (OU)" structure creation on "ad01"

EX:

  • Launch "ad01", open "server manager"
  • Click on the tab "AD DS", right click "AD01-CONNOR", click "Active Directory Users and Computers"
  • Right click "connor.local", hover over "new", select "Organizational Unit", type "SYS255"
  • Right click on the newly made organizatinal unit, "SYS255", create 3 more organizational units labeled, "Accounts", "Computer", and "Groups"

2. Creating Users and Groups within the newly created organizational unit "SYS255"

Creating Users "bob", "alice", and "charlie"

EX:

  • Select the "Accounts" OU within the "SYS255", right click, hover over "new" and select "user"
  • Type in the "First name:" field "alice", type in the "User logon name:" field "alice
  • For password, uncheck "User must change password at next logon", make the password "pa$$word1"
  • Do the same thing for "bob" and "charlie"

Drag WSK01-CONNOR from the "Computers" OU located in "connor.local" to "Computers" located in "SYS255"

EX:

  • Select the "Computers" OU from within "connor.local"
  • Select "WKS01-CONNOR", drag and drop it in "Computers" from within "SYS255"

Within the "SYS255\Groups" OU, add a "global security group" called "custom-desktop" with users "Alice" and "Bob" (not Charlie) as "members"

EX:

  • Select "Groups" from the "SYS255" OU, right click and hover over "new", select "Group"
  • In the "Group name:" field type, "custom-desktop", make sure "Global" in "Group scope" is selected and "Security" in "Group type" is selected
  • Right click "custom-desktop", located in the "Groups" OU, and select "Properties
  • Select the "Members" tab at the top
  • Click "Add..." , in the "Enter the objects name to select" field type "alice", click the "Check Names" tab to the right, click "ok"
  • Do the same thing for "bob"
  • If both members are added successfully it should look like this:

3. Creating a group policy that defines some User level settings

Creating a new "group policy object (GPO)" called "sys255-desktop" in "SYS255"

EX:

  • Click "tools" at the top of the home page of "server manager", select "Group Policy Management"
  • Select "SYS255", right click and select "Create a GPO in this domain, and Link it here.."
  • In the name field type, "sys255-desktop" then select "ok"

Adding the "custom-desktop" group created in Step 2 to the "Security Filter"

EX:

  • Select the newly created GPO, "sys255-desktop" located in the "SYS255" OU
  • Make sure you're in the "Scope" tab at the top
  • In the "Security Filtering" tab click "Add..."
  • In the "Enter the name object to select" field type, "custom-desktop", click "Check Names", click "OK"

Removing "Authenticated Users" from the "Security Filtering"

EX:

  • Select "Authenticated Users" in "Security Filtering"
  • Click "Remove", click "OK" when prompted if you're sure you want to delete

Add "Domain Computers" to "Security Filtering"

EX:

  • Select "Add..." in "Security Filtering"
  • In the "Enter the name object to select" field type, "Domain Computers", click "Check Names", click "OK"

Uncheck "Apply Group Policy" in the "Delegation" tab for "Domain Computers"

EX:

  • Select the "Delegation" tab at the top, click "Advanced"
  • In the "Group or user names:" field, select "Domain Computers"
  • In the "Permissions for Domain Computers" make sure read is checked for "Allow" and "Apply Group Policy" is checked for "Deny"
  • Click "Apply" at the bottom, click "OK"

4. Removing the "Recycling bin" using "Group Policy Management Editor" for "sys255-desktop"

EX:

  • Select "sys255-desktop" from "SYS255", right click and select "edit"
  • Click the drop down arrow for "Policies" in the "User Configuration", click the drop down for "Administrative Temp", Select "Desktop"
  • In the "Desktop" folder click on "Remove Recycle Bin icon from desktop", click "policy setting" next to "Edit"
  • Select "Enabled" the click "Apply", click "OK"

Deliverables

1. Log into "Alice" on "wks01" and show that there's no recycling bin, as well as show the results of "gpresult /r"

EX:

  • Launch "wks01"
  • Select "Other user", in the username field type "alice", in the password field type "pa$$word1"
  • Once logged in open "Windows Powershell"
  • Type "gpresult /r"
  • Should look like this:

2. Create a computer policy on "ad01" for "SYS255/Computers" that disables "Last Login", then show results of "gpudate /force" and "gpresult /scope computer /r"

EX:

Creating the computer policy on that disables "Last Login"

  • Open "Server Manager"
  • Select "Tools" at the top, select "Group Policy Management"
  • Select "Computers" from within "SYS255", right click, "Create a GPO in this domain", name it "DisableLastLogin"
  • Select the newly create GPO 'DisableLastLogin", Under "Security Filtering" select "Authenticated Users" and "remove"
  • Right click "DisableLastLogin", select "Edit..."
  • Select the dropdown arrow for "Policies" under "Computer Configuration", "Windows Settings", "Security Settings", "Local Policies", Select "Security Options"
  • From within "Security Options" Find and select "Interactive Logon: Don't display username at sign-in"
  • Right click "Interactive Logon: Don't display username at sign-in", "Properties", check the "Define this policy setting:" click "Enabled", "Apply", "OK"

Results of "gpudate /force" and "gpresult /scope computer /r" on "wks01"

  • Make sure you're on "wks01"
  • Type in "Windows Powershell", right click "Windows Powershell", select "Run as administrator"
  • When prompted with the administrator username type "connor.mccracken-adm", and for the password type "Lacrossekid3"
  • In Windows Powershell Type "gpupdate /force"
  • Type "gpresult /scope computer /r"
  • If everything is done correctly the output of the above command should be:

Important Information in This Lab

Why do I need an Organization Unit (OU) and what does it do?

  • An Organizational Unit organizes and manages users, groups, and computers within your domain
  • It allows you to apply specific policies (like group policies) to objects within it
    • This helps to control and structure permissions, settings, and access efficiently across different departments or purposes
  • In this lab it helps to manage my "SYS255" setup

Why did within the SYS25\Groups OU I add a global security group called "custom-desktop"?

  • I added the "custom-desktop" global security group to manage permissions and apply specific group policies to a defined set of users, in this case, "Alice" and "Bob"
  • This allows me to control which users the sys255-desktop GPO applies to, making it easier to manage security and configurations for a specific group of users