Lab 05 ‐ ADDS and Group Policy - rune-seregina/sys-255-fa24 GitHub Wiki

Objective
In this lab, I practiced using Active Directory to create Organization Units (OUs), created group policies, and applied policy settings to groups/computers in my new OU.

Vocab:

  • schema: blueprint that describes and contains formal definitions of every object class and attribute that can be created in an AD forest.
  • OU: Organizational Unit- container objects in Active Directory that allows management of network resources (users, computers, and other objects)
  • Default Domain Policy: default policy automatically created, representing the default policy that is applied to all domain controllers in the container. Best practices, only use default domain policy for account, account lockout, password settings.
  • Group Policy: provides centralized, policy-based approach to system management that can be applied at different AD container levels, such as domains, sites or organizational units (OUs)
  • Authenticated Users: In Active Directory, the Authenticated Users group includes all users who have successfully logged in with a valid username and password.

Resources used:

IP Assignments:

  • WAN IP (synonymous with fw interface 1/em0): 10.0.17.112/24
  • LAN IP (synonymous with fw interface 2/em1): 10.0.5.2/24
  • wks01-rune IP: 10.0.5.100/24 (or as assigned by DHCP)
  • wks01/ads01/dhcp01 default gateway: 10.0.5.2/24
  • dns: 10.0.5.5/24
  • ad01-rune ip: 10.0.5.5/24
  • dhcp01-rune ip: 10.0.5.3/24

Accounts:

  • wks01: rune.seregina@rune
  • wks01: rune.seregina-adm@rune
  • wks01: alice@rune
  • wks01: bob@rune
  • wks01: charlie@rune
  • ad01: rune\administrator
  • dhcp01: rune@dhcp01

How to change default password policy

Policy locations
Nuking the recycle bin

  • (In Group Policy Management Editor): User Configuration > Administrative Temp > Desktop > Remove Recycle Bin from Desktop > Enable

Disable Last Login

  • (In Group Policy Management Editor): Computer Configuration > Policies > Windows Settings > Security Settings > Security Options > Interactive Logon: Don't Display Last Signed in properties

gpresult

  • displays (group) policy results for a certain system, user, etc. /r displays summary data.

gpupdate

  • update group policy settings
  • /force DO IT NOW!!!

Troubleshooting

  • First, I wanted to make my life easier and change the general password policy so that I could make simple passwords for alice, bob, and charlie, but even after finding where to change the policies I couldn't get it to stick :( still included where to change it in my lab journal
  • Did not figure out why but I could not get /gpresult for alice to display "sys255-desktop" as alice's group policy. I did tons and tons of tweaking on Group Policy Manager, even making a "custom-desktop1" group to see if it would work or adding alice directly to the sys255-desktop. Eventually, after many reloads and tweaking, alice showed up for both "sys255-desktop" and "Default Domain Policy", likely due to some user management error when I was troubleshooting.

Reflection
ADDS is a very difficult topic for me to understand, and I appreciate the practice that I got in this lab but I'm not sure that I got much out of it in terms of my understanding of ADDS. I do understand schema and and Microsoft Active Directory tree better from this lab. It was frustrating to not know what was wrong during my troubleshooting and never quite figuring out what my issue was.

Environment Diagram
SYS255-enviro drawio Initial Setup: Firewall and Windows configuration
fw01:

  • cabling - net adapter 1: sys255-wan, (create) net adapter 2: sys255-lan (check MAC addresses for cross-reference later)
  • configure em0 and em1 - em0: 10.0.17.112/24 (upward gateway: 10.0.17.2, em1: 10.0.5.2/24

wks01:

  • change hostname: file explorer > this pc > properties > change settings > change > "To rename this computer..." < wks01-rune
  • new local account: lusrmgr.msc > Username: rune.seregina-loc > Desc: new local admin acc > Password never expires > Double click new acc > Member of: WKS01-RUNE\Administrators > Logout/login
  • Network config: image

fw01 gui

  • skip over setup wizard, leave the setting checked to override the DNS server on PPP/WAN
  • System Wizard: General Information: Hostname: fw01-rune, Domain: rune.local, Primary DNS: 8.8.8.8, Secondary DNS: 1.1.1.1

checking my work

  • have fw01 ping champlain.edu.
  • run whoami, hostname, ipconfig /all, and ping google.com on wks01.
  • navigate to champlain.edu from wks01
  • tracert /h 3 champlain.edu from wks01

ad01 setup

  • cabling: netadapter 1=sys255-lan
  • hostname: change to ad01-rune
  • invoke server manager > network options. proper addressing: IP Address: 10.0.5.5, Netmask: 255.255.255.0, Gateway 10.0.5.2, DNS 10.0.5.2
  • reboot!
  • check networking: whoami, ping google

adds

  • server manager > add roles and features > Active Directory Domain Services > restart destination server option

promotion

  • Select the link to Promote this server to a domain controller.
  • create a new forest: rune.local

dns record

  • invoke dns manager (ad01/server manager/dns/ad01)
  • DNS > ad01-rune.rune.local > forward lookup zones > rune.local > new host (A or AAAA)
  • should already have entry for ad01-rune
  • so for fw01, enter fw01-rune with the 10.0.5.2 IP address > Update associated PTR record to match
  • DNS > ad01-rune.rune.local > reverse lookup zones > new zone > network id 10.0.5.x
  • create PTR record for fw01-rune with the ip 10.0.5.2
  • refresh view!

that's probably as far as i would get in class :P

⚠️ **GitHub.com Fallback** ⚠️