HERA

LAB ID: 2

ACTIVE DIRECTORY
Basic User Management and Group Policy with Active
Directory
 Active Directory LAB ID: 2

Summary
1. Lab Description .................................................................................. 3
2. Goals .................................................................................................. 3
3. What you will learn ............................................................................ 4
4. Important Notes ................................................................................ 4
5. Tasks .................................................................................................. 4
Task 1: Active Directory Users and Computers ...................................... 4
Task 1.1: Creating Organizational Units ............................................. 4
Tasks 1.2: Creating Accounts and Groups .......................................... 5
Task 2: Group Policy ........................................................................... 5
Task 2.1: Creating first computer GPO ............................................... 5
Task 2.2: Creating first user GPO........................................................ 5
Task 2.3: Linking GPOs ....................................................................... 6
Task 3: Client Computers ....................................................................... 6
Task 3.1: Force client update ............................................................. 6
Task 3.2: Verify client receives settings ............................................. 6
6. Solutions ............................................................................................ 8
Task 1: Active Directory Users and Computers ...................................... 8
Task 1.1: Creating Organizational Units ............................................. 8
Task 1.2: Creating User Accounts ....................................................... 9
Task 2: Group Policy............................................................................. 12
Task 2.1: Creating first computer GPO ............................................. 12
Task 2.2: Creating first user GPO...................................................... 14
Task 2.3: Linking GPOs ..................................................................... 16
Task 3: Client Computers ..................................................................... 17
eLearnSecurity s.r.l. © 2014 | H E R A
 Active Directory LAB ID: 2

Task 3.1: Force client update ........................................................... 17

Task 3.2: Verify client receives settings ........................................... 21

1. LAB DESCRIPTION
In the following lab, you can practice the management and securing
techniques explained in the Practical Network Defense course – Active
Directory.

You will be creating this Active Directory structure.

Els.local

ELS

IT Dept Human Resources Executives

IT Ad mins Alex Cry

Users Computers

Bob Doe
Dillo n Mac
John Doe Exec-1

Jane Smith

Exec-2

2. GOALS
 Create and organize Active Directory accounts
 Create Group Policy Objects
 Link GPOs to appropriate Organizational Units

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

3. WHAT YOU WILL LEARN

During this lab, you will learn how to work with Active Directory Users
and Computers as well as the Group Policy Management Console. You
will create your first accounts and first GPOs followed by applying the
GPOs appropriately.

4. IMPORTANT NOTES
 Labs machines are not connected to the Internet, they are in a
private testing environment just for you.
 During UAC prompts, enter the student account credentials.
 The domain controller is dc1.els.local at 10.10.250.5.
 The client pc is exec-1.els.local at 10.10.250.100.
 You can use RDP connection to access the Domain machines. The
credentials are:
o Username: els\elsstudent
o Password: Guest#2014#

5. TASKS

Task 1: Active Directory Users and Computers

The first step of this lab is to create the needed user accounts and
organizational units for our environment.

Task 1.1: Creating Organizational Units

Create multiple and nested organizational units based on the Active
Directory diagram.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Els.local

ELS

IT Dept Human Resources Executives

IT Ad mins Alex Cry

Users Computers

Bob Doe
Dillo n Mac
John Doe Exec-1

Jane Smith

Exec-2

Tasks 1.2: Creating Accounts and Groups

Create the missing users from the diagram.

 Add the users of the I.T. department into the IT Admins security
group.
 Ensure new user accounts must change their password upon first
login.
 Ensure the security group and computers are also placed in the
appropriate organizational unit.

Task 2: Group Policy

Task 2.1: Creating first computer GPO

Create a computer-based GPO which disables the Guest account.

Task 2.2: Creating first user GPO

Create a user-based GPO which sets a preference to hide the Control
Panel from the Start menu.
eLearnSecurity s.r.l. © 2014 | H E R A
 Active Directory LAB ID: 2

Task 2.3: Test Control Panel Visibility

Reset the password of one of the standard users, then login to the
Windows 7 client via RDP.

Check if Control Panel is visible within the Start Menu.

Task 2.4: Linking GPOs

Link the GPO’s to:

 Disable the Guest account to the Executives’ computers.

 Disable the control panel for all the users in the ELS OU except the
IT Department ones.
 Make an exception for the IT Department: let them leave the
Control Panel enabled. Ensure the IT OU is exempt from inherited
GPOs.

Task 3: Client Computers

Task 3.1: Force client update
Login to the domain controller and force a policy update in the machines
under the ELS OU.

Task 3.2: Verify client receives settings

Login again to the EXEC-1 (10.10.250.100) and verify it receives the
Group Policy settings. Test whether or not you can see Control Panel
from the Start Menu.

Test the policy by logging as a user from different groups.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

6. SOLUTIONS
Task 1: Active Directory Users and Computers
Task 1.1: Creating Organizational Units
Once you open the Active Directory Users and Computers snap-in, you
can create new OUs by right-clicking on the Active Directory tree and
selecting New > Organizational Unit.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

After you create the OUs, they should appear as follows:

Task 1.2: Creating User Accounts

First, we need to check the ELS folder to see what accounts already exist.
We find Alex Cry, Jane Smith and John Doe.

We can simply click and drag these users from the ELS OU into the
correct OU. We do the same for the two computer accounts.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Now that we know which users exist, we can create the rest. You can
create the new user directly in the target OU by right-clicking on the OU
and going to New > User.

The first step of the wizards prompts for the username information.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

The following screen prompts for the initial password. We can place a
checkmark next to “User must change password at next logon”.

After we have created the accounts, we can add the I.T. employees to
the IT Admins security group by clicking on the group, going to Members
and selecting Add.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Task 2: Group Policy

Task 2.1: Creating first computer GPO
To create GPOs, we first open Group Policy Management snap-in. Right
click on Group Policy Objects, select New and give our GPO a name.

Select the new policy, right-click on it and select “Edit”. Navigate down
the hierarchy to the Security Options.
eLearnSecurity s.r.l. © 2014 | H E R A
 Active Directory LAB ID: 2

The setting we wish to change will be the third option in the right pane.

We want to place a check next to “Define this policy setting” and set it to
“Disabled”.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Task 2.2: Creating first user GPO

For this task, we will create another GPO and give it a name. Then
navigate to the Start Menu selection under Control Panel Settings.

Right-click in the pane and select New > Start Menu.

Scroll down to the Control Panel option and select “Do not display this
item”.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Task 2.3: Test Control Panel Visibility

To test the Control Panel visibility, we have to login to the Windows
client before linking the GPO.

Reset the password on one of the standard users in Active Directory

then use their credentials to connect to the Windows 7 client via RDP.
Open Start Menu and verify Control Panel is present.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Task 2.3: Linking GPOs

First we want to apply the Disable Guest Account GPO to the computers
which belong in the Executives OU. The easiest way to accomplish this is
to click and drag the Disable Guest Account GPO to the Computers OU
(under Executives).

For the Control Panel GPO, we need to apply it to all the OUs except the
IT Dept one.

We must also ensure the IT Dept OU is exempt from inheriting GPOs.

First, we right-click on the IT Dept OU and select “Block inheritance”.

Now we can apply the Disable Control Panel GPO to the ELS OU and it
will be inherited by all OUs below it except for IT Dept.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Task 3: Client Computers

Task 3.1: Force clients update
There are a couple different ways we can force our client machines to
process Group Policy updates.

The easiest way is within the Group Policy management console. This
method can only be used with Windows Server 2012 and Windows 8.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Right click on the ELS OU and select “Group Policy Update”.

It will return a prompt verifying how many machines will process the
updates and ask you to confirm the policy refresh. Select Yes.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Now, let us take a look at the PowerShell method which works for
servers and clients prior to Windows 8. This method does require your
target computers to have Power Shell Remote Management enabled.

First, we need to query the ELS OU in Active Directory for all computers;
we will store the results in the variable, $computers. Then we will check
the $computers variable to verify we have what we need.

Since we will be remotely connecting to domain computers, we need to

specify our credentials.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Now, let us initiate an open session to all computers in our $computers

variable. Then we will check the $session variable to see which
connections have been established.

Note: you will receive an error on the Exec-2 computer because it is

offline.

Now we run the gpupdate command against all computers in our session
variable.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

We see our gpupdate was processed successfully on our client machine!

More information on this update method can be found on TechNet.

Task 3.2: Verify client receives settings

Now let us connect to our client machine to verify it has received the
Group Policy updates.

After we connect, open the Command Prompt. We will run a command

to create a report on the Group Policy policies applied to our machine.

The report will be presented in a hierarchy view. If we expand Summary

> Computer Configuration > General > Group Policy Objects > Applied
GPOs, we can see which GPOs were applied to our machine during the
last Group Policy refresh, as well as where the GPO is linked to within
the A.D. tree.

eLearnSecurity s.r.l. © 2014 | H E R A

 Active Directory LAB ID: 2

Lastly, if we login to the Windows 7 as a standard user, we should see

the Control Panel link is gone.

Remember: this specific GPO did not restrict their access to Control
Panel, it simply hide the link from the Start Menu.

eLearnSecurity s.r.l. © 2014 | H E R A