{"id":95,"date":"2025-10-13T19:18:30","date_gmt":"2025-10-13T19:18:30","guid":{"rendered":"https:\/\/carlostech.com\/?p=95"},"modified":"2025-11-03T23:13:49","modified_gmt":"2025-11-03T23:13:49","slug":"active-directory-implementation-part-2","status":"publish","type":"post","link":"https:\/\/carlostech.com\/?p=95","title":{"rendered":"Active Directory Lab 2 – VMWare"},"content":{"rendered":"\n

Project Overview<\/strong><\/h2>\n\n\n\n

This project demonstrates the implementation of a Windows Server 2022 Active Directory environment using VMware Workstation Pro, focusing on organizational unit structure, user management, and Group Policy implementation in an enterprise-like configuration. We use a Windows 10 admin PC with RSAT downloaded to remotely configure Active Directory.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Domain controller installation and configuration were explained in our first AD lab, so we will not get into those details here.  Note:<\/em><\/strong> We typically download RSAT tools on our admin, remote PC and manage AD through there. This is done using the Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call (RPC) protocols.<\/p>\n\n\n\n

    \n
  • LDAP is what enables you to access as well as manage directory services over the network. It is conceptually similar to REST APIs (more on that in a future project). RPC is what makes it seem that you are locally on the server.<\/li>\n<\/ul>\n\n\n\n

    Organizational Unit Design<\/strong><\/h3>\n\n\n\n

    We designed an organizational structure that simulates an enterprise that spans globally. Using geographic-based OUs allows for location-specific Group Policy applications, delegated administration by region and a scalable design for future expansion. Here, we\u2019re just going to configure the USA folder \u2013 and we are going to create sub-OUs with the states of where our offices are located. In these state OUs, we\u2019re going to have our users, computers, servers, and groups.<\/p>\n\n\n\n

      \n
    • Note<\/em><\/strong>: In production environments, state-level OUs would typically include additional subdivisions such as offices, cities, or more specific business units for advanced granular management. <\/li>\n<\/ul>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      \"\"
      We created two users and configured them with a temporary password that they’ll have to change when they first logon using the GUI. In a production environment, there would most likely be standard naming conventions, the users would be placed into the correct groups, and password policies will be enforced (we’re doing this later as we just created this AD server).<\/figcaption><\/figure>\n\n\n\n
      \"\"
      We created two security groups using the GUI under the “Groups” OU. The IT group will have specific administrative privileges for IT operations and the Accounting group will have department-specific access rights. Here you can even divide the groups to be more specific such as the IT group being divided into Helpdesk, which have password reset rights, and IT-Admins which have more administrative privileges.<\/figcaption><\/figure>\n\n\n\n
        \n
      • If I added Peter to the ‘IT’ security group, he would have all the privileges\/permissions of that group and whatever permissions he already had assigned to him. If I created a GPO for the “Users” OU, but I did NOT want Peter to receive it, I can use the ‘GPO Security Filtering’ option to not allow the GPO to apply to the group “IT”. This is an example of how in-depth GPOs and AD administration can be.<\/li>\n\n\n\n
      • The OU structure can be nested to any depth that you require, which enables precise administrative segmentation based on whichever requirements you have. <\/li>\n<\/ul>\n\n\n\n
        \"\"<\/figure>\n\n\n\n

        Note<\/em><\/strong>: Security groups provide authorization and access control, while distribution groups serve exclusively for email distribution. This distinction is crucial for proper access management in enterprise environments.<\/p>\n\n\n\n

        Group Policy Implementation<\/h3>\n\n\n\n

        In Group Policy Management we begin creating different Group Policy Objects (GPOs). We created some for Account Lockout policies, Password Policies, restricting access to the Control Panel, and even disabling the use of USB devices.<\/p>\n\n\n\n

          \n
        • Note<\/em><\/strong>: There are two main ways to apply GPOs here. Either apply them to the computer themselves or the users. For password policies, we always want to apply it to the computer because we want everyone to have a secure password, so the computer will always force you to create a secure password.  For control panel access, we should configure it on a user basis. We don\u2019t want to completely lock out the control panel because what if an IT admin needs access to it? We just want to prevent users that shouldn\u2019t have the authority from reaching it.<\/li>\n\n\n\n
        • To put it simple: Configure computer configuration policies based on: \u201cIt doesn\u2019t matter who logs into this computer, this computer should behave in this manner always\u201d \u2013 by blocking USB storage use and enforcing password policies, the pc will always be hardened and secure.<\/li>\n\n\n\n
        • For user configurations, the key is: No matter which computer they log onto, this specific user should always have these settings\/permissions.<\/li>\n<\/ul>\n\n\n\n
          \"\"
          Here we are creating the GPO that disables all USB access through computer configuration.<\/figcaption><\/figure>\n\n\n\n
          \"\"
          Here we are creating the User configuration GPO that blocks the users who have this GPO applied to them or their group, access to the control panel.<\/figcaption><\/figure>\n\n\n\n
          \"\"
          You want to create these GPOs in the folder: Group Policy Objects. However, if you right click any other OU above this folder and even the actual domain name (carlostech.local), you can create GPOs straight from there and link them to that OU.<\/figcaption><\/figure>\n\n\n\n

          If you create the GPOs directly on the domain name, all OUs under it inherit the GPOs. This also applies for OUs nested under parent OUs if you link GPOs to the parent instead. <\/p>\n\n\n\n

          These GPOs will also automatically appear in the “Group Policy Objects folder” (this folder stores ALL GPOs no matter where you initially created them). By creating the GPOs in GPO folder, you don\u2019t link them anywhere just yet \u2013 they\u2019re just created.<\/p>\n\n\n\n

            \n
          • Before we link GPOs to wherever we deem necessary, let\u2019s go back to our Windows 10 Enterprise machine and join it to our domain \u2013 so we can test if GPOs applied. We do this in settings on our PC.<\/li>\n<\/ul>\n\n\n\n
            \"\"
            We see our PC is in our domain since it appears here.<\/figcaption><\/figure>\n\n\n\n
            \"\"
            Remember: you must change the DNS settings on the PC, so it points to the AD Server since it has DNS features downloaded on it. Then, join the PC into the domain through settings. <\/figcaption><\/figure>\n\n\n\n

            Note<\/em><\/strong>: VMWare creates virtual networks and provides a virtual DHCP\/DNS server; the 192.168.x.x network you see. Whenever a VM host needs to reach the actual Internet, it goes through your host computer (because this is a Type 2 Hypervisor).<\/p>\n\n\n\n

            \"\"
            We\u2019re going to move our desktop from the general OU \u201cComputers\u201d, into the correct one: \u201cComputers\u201d under the New York OU. Our two users are already in the correct location, under the OU \u201cUsers\u201d in New York.<\/figcaption><\/figure>\n\n\n\n

            We\u2019re then going to link our GPOs to the correct OUs. Our Computers OU, containing our Windows 10 Enterprise machine, is going to have linked the USB and Password Policy GPOs. The Users OU will receive the Control Panel, Drive Mapping (more on that in another project) and Wallpaper policies.<\/p>\n\n\n\n

            \"\"
            Now every single machine in the OU “Computers” is disabling the use of USB devices.<\/figcaption><\/figure>\n\n\n\n
            \"\"
            Here you see all the GPOs we created mapped to the correct OUs.<\/figcaption><\/figure>\n\n\n\n

            Now, let\u2019s test these GPOs. The one that would be easiest to check right now is the user\u2019s access to the Control Panel.<\/p>\n\n\n\n

            \"\"<\/figure>\n\n\n\n

            As you can see, in Peter\u2019s workstation I\u2019m still able to access the control panel. The reason this happens is because Group Policy updates over a period \u2013 not instantly, which is typically 90-120 minutes with a random offset of up to 30 minutes (this is to prevent network congestion \u2013 you do not want hundreds or even thousands of machines contacting the AD server at the same time to refresh their policies).<\/p>\n\n\n\n

            Therefore, we need to force this update onto the machine. There are various methods to do this:<\/p>\n\n\n\n