9/16/2024 Active Directory (AD)

Tips and Tricks to Keep AD Healthy and

Secure

Golam Kibria Ezaz

Here are some tips and tricks to keep Active Directory (AD) healthy and
secure.

1. Regular Backups

Just like we back up important files, backing up AD ensures we can recover if

something goes wrong. Schedule regular backups of the AD database and
system state. If out AD is compromised or data is lost, we’ll be able to restore it
quickly.

2. Strong Password Policies

Weak passwords are easy to guess and can let hackers access our system.
Enforce a password policy that requires complex passwords (mix of letters,
numbers, and symbols). Make sure passwords expire regularly so users change
them often.

3. Monitor AD Activity

Monitoring AD helps us spot unusual activity that could indicate a security

threat. Set up audit logs to track who logs in, changes settings, or accesses
critical files. Review these logs regularly to catch any suspicious behavior.

4. Use the Principle of Least Privilege

Not everyone needs full access to everything. Limiting permissions reduces the
risk of accidental or malicious damage. Give users only the permissions they
need for their tasks. Review permissions regularly to ensure they stay
appropriate.

5. Secure Administrative Accounts

Admin accounts have the highest level of access, so they are prime targets for
attackers. Create separate accounts for admin tasks and day-to-day activities.
Use Multi-Factor Authentication (MFA) to add an extra layer of security. Don’t
use admin accounts for regular tasks like checking email.

6. Regularly Update and Patch Systems

Tips and tics to keep AD healthy and secure Page 1 of 7

 Outdated systems are more vulnerable to security risks. Keep AD, servers, and
related software updated with the latest security patches. Enable automatic
updates where possible.

7. Organize with Group Policies

Group Policies help us control what users can and cannot do on their computers,
making AD more secure and easier to manage. Use Group Policy Objects
(GPOs) to apply consistent security settings, like disabling weak encryption or
locking screens after inactivity.

8. Implement Multi-Factor Authentication (MFA)

MFA adds another layer of protection by requiring users to provide a second

form of identification (like a text message code or mobile app approval) along
with their password. Enable MFA for all users, especially admins. This way,
even if a password is stolen, the attacker can’t get in without the second factor.

9. Regularly Review and Clean Up AD

Over time, AD can become cluttered with old accounts, groups, and
permissions, which increases security risks. Periodically review and clean up old
or unused user accounts and security groups. Disable or delete accounts of users
who no longer work for the organization.

10. Monitor and Protect Domain Controllers

Domain Controllers (DCs) are the heart of AD, and if they are compromised, out
entire AD is at risk. Limit access to DCs to only trusted admins, ensure DCs are
secured with firewalls, and regularly monitor them for suspicious activity.
Protect physical access to servers as well.

11. Use Role-Based Access Control (RBAC)

This ensures that users have only the access they need based on their role.
Create roles for different levels of users (like HR, IT, Sales) and assign

Tips and tics to keep AD healthy and secure Page 2 of 7

 permissions based on these roles rather than giving individual users too much
access.

12. Regular Security Training for Users

Many security threats come from users accidentally making mistakes, like
clicking on phishing links. Educate users regularly about security best practices,
such as avoiding suspicious links, reporting phishing emails, and using strong
passwords.

13. Set Account Lockout Policies

Hackers may try to guess passwords by repeatedly entering them (called brute-
force attacks). Set up an account lockout policy that temporarily locks accounts
after several failed login attempts. This slows down attackers and prevents them
from guessing passwords.

14. Enable Logging and Alerting

Logs provide a history of actions taken in AD, while alerts help notify us of
potential issues right away. Enable logging for key actions like login attempts
and changes to sensitive information. Set up alerts to notify us if there are
repeated failed logins or if a user suddenly gains elevated privileges.

15. Secure LDAP (Lightweight Directory Access Protocol)

LDAP is how AD communicates, and if not secured, attackers can intercept or

manipulate this communication. Use LDAP over SSL (LDAPS) to encrypt
communication between AD and other systems. This ensures data exchanged is
secure and cannot be tampered with.

16. Enable Fine-Grained Password Policies

Not every user or group in our organization needs the same password policy. For
example, admins might need stricter rules. Use Fine-Grained Password Policies to
apply different password policies for different groups, such as requiring longer or
more complex passwords for privileged users.

17. Implement Tiered Administrative Models

Tips and tics to keep AD healthy and secure Page 3 of 7

 Separating administrative roles into tiers reduces the risk of one compromised
account leading to total AD control. Create Tier 0, Tier 1, and Tier 2 admin models.
For instance, Tier 0 manages AD, Tier 1 manages servers, and Tier 2 handles
workstations. Each tier should have isolated access to limit cross-tier threats.

18. Use Group Managed Service Accounts (gMSAs)

Managing service accounts manually can be difficult and prone to errors like
password mismanagement. Use gMSAs, which automatically manage passwords
for services that run across multiple servers, improving security and ease of
management.

19. Implement Time-Based Access

Limiting the time frame when accounts can be used adds another security layer.
Use Time-Based Group Membership to temporarily elevate user privileges for a
specific task and automatically revoke access after a set period.

20. Use Smart Cards or Passwordless Authentication

Passwords alone can be vulnerable to attacks like phishing or brute-force attacks.

Implement Smart Cards or passwordless methods like Windows Hello for Business
for two-factor authentication. These options are more secure than traditional
password-based authentication.

21. Set Up Conditional Access

Conditional access controls access based on specific conditions, like location or

device security status, adding extra protection. Use Conditional Access Policies to
limit access based on certain conditions, like requiring MFA if a user tries to log in
from outside the company’s network.

22. Protect Against Kerberos Attacks

Attackers can exploit weaknesses in Kerberos (AD’s authentication protocol) to

gain access. Mitigate Kerberos attacks by enabling features like Extended
Protection for Authentication and using AES encryption for Kerberos tickets.

Tips and tics to keep AD healthy and secure Page 4 of 7

23. Enable Windows Defender for Identity (formerly Azure ATP)

It helps detect and respond to advanced threats targeting Active Directory. Use
Windows Defender for Identity to identify suspicious activities such as lateral
movement, brute-force attacks, and privilege escalation within our AD environment.

24. Audit and Remove Legacy Protocols

Older authentication protocols like NTLM are less secure and can be exploited by
attackers. Audit your network for the use of legacy protocols, such as NTLM or
older versions of SMB. Disable or replace these with modern, secure alternatives
like Kerberos and SMBv3.

25. Isolate Domain Controllers

Keeping Domain Controllers (DCs) isolated reduces the chance of them being
compromised in case of a broader attack. Place DCs in a separate, secured network
segment with limited access to reduce the attack surface. Restrict who can access
these servers and monitor their traffic closely.

26. Enable Secure Boot and BitLocker Encryption

Physical attacks on servers or devices can compromise AD security. Enable Secure

Boot and use BitLocker to encrypt the drives of critical servers, including DCs.
This prevents unauthorized access to the data if someone physically steals or
tampers with the hardware.

27. Perform Regular Penetration Testing

Testing your AD environment for weaknesses ensures you stay ahead of potential
security threats. Conduct regular penetration testing to find vulnerabilities that an
attacker might exploit. Focus on areas like user accounts, permissions, and
authentication methods.

28. Regularly Test Your Disaster Recovery Plan

Tips and tics to keep AD healthy and secure Page 5 of 7

 It’s not enough to back up AD—we need to be sure we can restore it when needed.
Periodically test our disaster recovery plan to ensure that backups work and can be
restored quickly in case of a system failure, data breach, or attack.

29. Monitor AD with SIEM Tools

Security Information and Event Management (SIEM) tools give us a real-time

view of activities across AD and can alert you to potential threats. Integrate AD
monitoring with a SIEM tool like Azure Sentinel or Splunk. These tools analyze
logs and provide actionable insights into potential security threats.

30. Implement Certificate-Based Authentication

Certificates provide a stronger, more secure way to verify identities than passwords.
Deploy certificate-based authentication for critical systems and services, especially
for sensitive accounts like admins. This makes it harder for attackers to impersonate
users.

31. Document Your AD Environment

Documentation helps us understand how AD is set up and makes troubleshooting

easier. Maintain up-to-date documentation that outlines our AD structure, including
OUs, GPOs, and delegated permissions. Document any changes or updates to the
AD environment, so future admins can easily understand what’s been done.

32. Use Active Directory Recycle Bin

Accidental deletions of user accounts or OUs can happen and cause a lot of
disruption. Enable the AD Recycle Bin feature, which allows us to recover deleted
objects (like users or groups) easily without the need for a full restore. This is a
quick way to undo mistakes.

______๑♡⁠๑______
Tips and tics to keep AD healthy and secure Page 6 of 7
Tips and tics to keep AD healthy and secure Page 7 of 7
 Changing Dynamic IP to Static, Computer Name, and Time Zone
in a Local Server

1. Change Dynamic IP to Static IP

To configure a static IP address for our server, follow these steps:

1. Open Local Server: Go to the Local Server option from the server dashboard.
2. Access Ethernet Properties:
o Locate the Ethernet connection under Properties.
o Right-click on Ethernet and select Properties.
3. Configure TCP/IP Settings:
o Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
o In the IP Address field, enter 192.168.0.110.
o For Subnet Mask, use 255.255.255.0.
o For Default Gateway, enter 192.168.0.1.
4. Set DNS Server:
o In the Preferred DNS server, enter 192.168.0.110.
o Optionally, you can set the Alternate DNS server as 8.8.8.8.
5. Save Changes: Click OK to save the changes.

2. Change Computer Name

To change the computer name of the server:

1. Open Local Server: Go to the Local Server option.

2. Access Computer Name Settings:
o Click on the current Computer Name
o A new window will open. Click Change.
3. Change the Name:
o In the Computer Name field, enter the new name we want for our
server.
4. Restart to Apply Changes: After entering the new name, click OK. Restart the
server for the changes to take effect.

Windows Server Basic Configuration Page 1 of 2

3. Change Time Zone

To adjust the time zone of the server:

1. Open Local Server: Go to the Local Server option.

2. Access Time Zone Settings:
o Click on the current Time Zone displayed.
o In the Date and Time window, click Change time zone....
3. Select Dhaka Time Zone:
o From the dropdown list, select (UTC+06:00) Dhaka.
o Click OK to save the changes.

4. Managing Services in Red (Optional)

If we notice any services marked with a red color in the dashboard:

1. Open the Service: Click on the service showing the red status.
2. Disable Automatic Delayed Start:
o Uncheck the box for Automatic (Delayed Start) instead of multiple
o Ensure Automatic is selected instead.
3. Save Changes: Click OK to apply the settings.

This documentation should guide users through changing a server's dynamic IP to static,
renaming the computer, adjusting the time zone, and managing red-marked services
efficiently.

~~>_<~~

Windows Server Basic Configuration Page 2 of 2

 Setting up and Configuring a DHCP Server

1. Setting Up DHCP Server

To set up a DHCP server, follow the steps below:

1. Access Server Manager: Open Server Manager from the dashboard.

2. Start Adding DHCP Role:
o Click on Manage (found at the top-right corner of the dashboard).
o Select Add Roles and Features from the dropdown menu.
3. Before You Begin:
o In the Before You Begin window, click Next to continue.
4. Installation Type:
o Select Role-based or feature-based installation.
o Click Next.
5. Server Selection:
o Your server name and IP address will be displayed automatically.
o Confirm the correct server is selected and click Next.
6. Server Roles:
o In the Select server roles window, check DHCP Server.
o A pop-up will appear to Add Features. Click Add Features.
o Click Next.
7. DHCP Server Information:
o Simply click Next on this window to proceed.
8. Confirmation and Installation:
o In the Confirmation window, check the box that says Restart the
destination server automatically if required.
o Click Install.
9. Wait for Installation:
o The DHCP server role will now be installed. Once completed, click
Close.

Setup DHCP Server Page 1 of 3

2. Configuring the DHCP Server

After successfully installing the DHCP server, follow these steps to configure it:

1. Access DHCP Management:

o From Server Manager, go to the top-right corner and click Tools.
o Select DHCP from the dropdown menu.
2. Open IPv4 Configuration:
o In the DHCP window, select your server's device name.
o Expand the IPv4 section.
o Right-click IPv4 and select New Scope.
3. Create a New Scope:
o In the New Scope Wizard, click Next.
o Name the Scope: Enter a name for the scope, e.g., kibria.local.
o Click Next.
4. Set the IP Range:
o Start IP Address: Enter 192.168.0.160.
o End IP Address: Enter 192.168.0.200.
o Click Next.
5. Exclusions and Delay:
o Enter an exclusion range to prevent specific addresses from being
assigned.
o Exclusion Range: 192.168.0.170 to 192.168.0.180.
o Click Add, then click Next.
6. Set Lease Duration:
o Set the Lease Duration to 8 days.
o Click Next.
7. Configure DHCP Options:
o Select Yes, I want to configure these options now.
o Click Next.
8. Set Router (Default Gateway):
o Enter the Default Gateway IP address: 192.168.0.1.
o Click Add, then click Next.
9. Continue with DHCP Options:
o Keep clicking Next through the following screens to configure the
remaining options.

Setup DHCP Server Page 2 of 3

 10. Activate the Scope:
o Select Yes, I want to activate this scope now.
o Click Next, then Finish to complete the configuration.

This step-by-step documentation will guide users through setting up and configuring a
DHCP server, ensuring proper setup for managing IP addresses within the network.

{{{(>_<)}}}

Setup DHCP Server Page 3 of 3

 Setting Up a Windows Active Directory Domain Services (AD DS)
Server

1. Installing Active Directory Domain Services (AD DS)

Follow these steps to install Active Directory Domain Services (AD DS) on a
Windows Server:

1. Open Server Manager: From the Server Manager dashboard, click

Manage.

2. Add Roles and Features:

o Select Add Roles and Features.

o In the Before You Begin screen, click Next.

3. Installation Type:

o Choose Role-based or feature-based installation.

o Click Next.

4. Server Selection:

o The current server's device name and IP address should be

automatically displayed.

o Confirm the correct server is selected and click Next.

5. Select Server Roles:

o Scroll down and select Active Directory Domain Services.

o A pop-up window will appear asking you to Add Features. Click

Add Features.

6. Optional: Add DNS Server:

o If you want to configure DNS as well, check the DNS Server box.

o Again, click Add Features in the pop-up window then next.

7. Group Policy Management:

o Make sure Group Policy Management is selected under Features.

Setting up a Windows AD DS Server Page 1 of 3

 o Click Next.

8. Proceed Through AD DS and DNS Setup:

o Click Next through the AD DS and DNS Server sections.

9. Confirmation:

o In the Confirmation window, check the option to Restart the

destination server automatically if required.

o Click Install.

10. Wait for Installation:

o Once the installation is complete, click Close.

2. Configuring the Active Directory Domain Services (AD DS)

Once AD DS is installed, follow these steps to configure it:

1. Open Notifications:

o After installation, click the Notifications icon (located at the top-

right corner, left of the Manage button).

o Click Promote this server to a domain controller.

2. Add a New Forest:

o In the Deployment Configuration window, select Add a new forest.

o For the Root domain name, enter kibria.local.

o Click Next.

3. Set Directory Services Restore Mode (DSRM) Password:

o Set a secure password for Directory Services Restore Mode

(DSRM).

o Click Next.

4. DNS Options:

o You may see a DNS delegation warning. This is expected if you

haven't configured DNS delegation. Click Next.

Setting up a Windows AD DS Server Page 2 of 3

 5. NetBIOS Domain Name:

o Verify that the NetBIOS domain name is set to kibria.

o Click Next.

6. Paths and Directories:

o You can leave the default paths for the database, log files, and
SYSVOL. Click Next.

7. Prerequisites Check:

o Wait for the prerequisites check to complete.

o Once you see the green checkmarks indicating success, click Install.

8. Auto-Restart:

o After installation, the server will automatically restart to complete

the domain controller configuration. This process may take some
time.

3. Completion

After the server restarts:

 Your server is now configured as an Active Directory Domain Controller for

the domain kibria.local.

 You can now manage users, computers, and other resources within your new
domain.

This documentation provides step-by-step instructions to easily install and configure

Active Directory Domain Services (AD DS) on a Windows Server, including DNS
setup if needed.

༼ つ ◕_◕༽ つ

Setting up a Windows AD DS Server Page 3 of 3

 Configuring a Windows DNS Server Zone (Forward and Reverse
Lookup)

1. Pre-requisites: Setting up DNS Server

Before configuring the DNS zones, ensure that the DNS server is installed. Follow
the steps in Documentation No. 3 to install and configure the DNS Server as part
of the Active Directory Domain Services (AD DS).

2. Verify DNS Configuration

1. Open Command Prompt:

o Type cmd in the search bar and open Command Prompt.

2. Test Forward Lookup:

o In Command Prompt, type: nslookup kibria.local

o You should see the IP address associated with kibria.local in the

response.

3. Test Reverse Lookup (if not configured yet):

o Now, type: nslookup <IP-address>

o Example: nslookup 192.168.0.110

o If reverse DNS is not configured yet, you'll see a message saying

Non-existent domain.

3. Configuring Reverse Lookup Zone

1. Open DNS Management:

o From Server Manager, click on Tools.

o Select DNS from the dropdown.

2. Create a Reverse Lookup Zone:

o In the DNS Manager window, expand your server-name (for

example, dcserver).

o Right-click on Reverse Lookup Zones and select New Zone.

Windows DNS Server Zone Page 1 of 4

 3. New Zone Wizard:

o Click Next on the introduction screen.

o Select Primary Zone (to store the zone in AD DS).

o Click Next.

4. Replication Scope:

o Choose To all DNS servers running on domain controllers in this

domain.

o Click Next.

5. Select IP Version:

o Choose IPv4 Reverse Lookup Zone.

o Click Next.

6. Network ID:

o Enter the Network ID (first three octets of your IP address):

192.168.0

o Click Next.

7. Dynamic Updates:

o Select Allow only secure dynamic updates to enhance security.

o Click Next, then Finish.

4. Adding PTR (Pointer) Record for Reverse Lookup

1. Expand Reverse Lookup Zone:

o In DNS Manager, expand the Reverse Lookup Zones.

o Right-click on the newly created zone (192.168.0.x Subnet) and

select New Pointer (PTR).

2. Configure PTR Record:

o Click Browse.
Windows DNS Server Zone Page 2 of 4
 o In the Browse window, navigate to your server-name > Forward
Lookup Zones > kibria.local.

o Select the corresponding device-name (Host A) for which you want

to create a PTR record.

o Click OK.

3. Confirm the IP Address:

o The IP address associated with the Host (A) record will be displayed.
Confirm this IP and click OK to create the PTR record.

5. Refresh DNS Server

Refresh DNS Server: In DNS Manager, right-click on your server-name

from the left panel and select Refresh.

6. Verifying the Configuration

1. Open Command Prompt Again:

o Open Command Prompt (cmd) once more.

2. Test Forward Lookup:

o Type: nslookup kibria.local

o You should see the IP address 192.168.0.110 returned for the domain
kibria.local.

3. Test Reverse Lookup:

o Type: nslookup 192.168.0.110

o You should now see kibria.local as the response, confirming that the
reverse lookup is working.

7. Completion

Your DNS server is now fully configured with both forward and reverse lookup
zones. You can use nslookup commands to test and verify both name resolution and
reverse DNS resolution.

Windows DNS Server Zone Page 3 of 4

This documentation provides clear steps for setting up DNS zones, allowing the
system to properly resolve domain names and IP addresses in both directions
(forward and reverse).

¯\_(ツ)_/¯

Windows DNS Server Zone Page 4 of 4

 Creating and Deleting an Organizational Unit (OU) in Active
Directory

1. Creating an Organizational Unit (OU)

To create an Organizational Unit (OU) in Active Directory, follow these steps:

1. Open Active Directory Users and Computers:

o From Server Manager, click Tools.
o Select Active Directory Users and Computers.
2. Navigate to the Domain:
o In the left panel, expand your domain (e.g., kibria.local).
3. Create a New Organizational Unit:
o Right-click on the domain name (e.g., kibria.local).
o Select New > Organizational Unit.
4. Name the Organizational Unit:
o In the New Object - Organizational Unit window, give the OU a name
(e.g., Test OU).
o Check the box for Protect container from accidental deletion.
o Click OK.
5. Verify the New OU:
o You should now see the newly created OU (Test OU) listed under your
domain in the left panel.
6. Add a Description (Optional):
o Right-click on the Test OU.
o Select Properties.
o In the Description field, add a description if needed.
o Click OK.

Creating an OU Page 1 of 2
2. Deleting an Organizational Unit (OU)

To delete an OU in Active Directory, follow these steps:

1. Enable Advanced Features:

o In Active Directory Users and Computers, click View from the top
navigation bar.
o Select Advanced Features to enable it.
2. Prepare OU for Deletion:
o Right-click on the OU you wish to delete (e.g., Test OU).
o Select Properties.
o Go to the Object tab.
o Uncheck Protect object from accidental deletion.
o Click Apply, then OK.
3. Disable Advanced Features:
o To turn off the advanced features, go back to the View menu and
uncheck Advanced Features.
4. Delete the OU:
o Right-click on the OU (e.g., Test OU).
o Select Delete.
o Confirm the deletion by clicking Yes.

3. Completion

Your Organizational Unit (OU) has now been successfully created and deleted.

This documentation outlines the simple steps to create and delete OUs in Active
Directory, providing clear instructions for protecting against accidental deletion and
managing features.

¯ \_(ツ)_/¯

Creating an OU Page 2 of 2
 Creating a User Account with Active Directory (AD)

1. Creating Organizational Units (OUs)

Step 1: Create the Primary Organizational Unit (OU)

1. Open Active Directory Users and Computers:

o From Server Manager, click on Tools.
o Select Active Directory Users and Computers.
2. Create the Primary OU:
o In the left panel, expand your domain (e.g., kibria.local).
o Right-click on the domain name (kibria.local).
o Select New > Organizational Unit.
3. Name the OU:
o Enter a name for the Organizational Unit (e.g., Test OU).
o Check the box for Protect container from accidental deletion.
o Click OK.

Step 2: Create Sub-OUs for Domain Users and Domain Computers

1. Create a Sub-OU for Domain Users:

o Right-click on the Test OU (created in the previous step).
o Select New > Organizational Unit.
o Name this OU Domain Users.
o Ensure that the Protect container from accidental deletion option is
checked.
o Click OK.
2. Create a Sub-OU for Domain Computers:
o Right-click on the Test OU again.
o Select New > Organizational Unit.
o Name this OU Domain Computers.
o Ensure that the Protect container from accidental deletion option is
checked.
o Click OK.

Creating a User Account with AD Page 1 of 2

2. Creating a User Account

1. Open the Domain Users OU:

o In Active Directory Users and Computers, expand the Test OU.
o Right-click on the Domain Users OU.
o Select New > User.
2. Enter User Information:
o In the New Object - User window, enter the following details:
 First Name: Enter the user's first name.
 Last Name: Enter the user's last name.
 User Logon Name: Choose a unique logon name for the user (e.g.,
john.doe). Click Next.
3. Create a Password:
o Enter a secure password for the user.
o Uncheck all four checkboxes under the password field:
 User must change password at next logon.
 User cannot change password.
 Password never expires.
 Account is disabled.
o Click Next.
4. Finish User Creation:
o Review the details in the final screen.
o Click Finish to create the user account.

3. Completion

The user account has now been successfully created under the Domain Users OU. You
can manage this account or create additional users as needed.

This documentation provides step-by-step instructions for creating an Organizational

Unit (OU) and a new user account in Active Directory. It ensures users are created in
the proper OU structure while preventing accidental deletion.

¯\_(ツ)_/¯

Creating a User Account with AD Page 2 of 2

 Searching for Objects in Active Directory (AD)

This guide explains how to search for objects like users and computers within Active
Directory (AD) and use advanced search features, including wildcard searches.

1. Basic Search for Objects in Active Directory

Step 1: Open Active Directory Users and Computers

1. From Server Manager, click Tools.

2. Select Active Directory Users and Computers.

Step 2: Search for an Object

1. In Active Directory Users and Computers, navigate to the Organizational

Unit (OU) you created in the previous documentation (e.g., Test OU).
2. Right-click on the OU name and select Find.

Step 3: Find the Object

1. In the Find dialog box:

o Under Find, choose the desired object type (e.g., Users, Groups,
Computers, etc.) from the dropdown menu.
o Under In, choose the domain name (e.g., kibria.local) or the specific
OU you want to search within.
o Type the object name (e.g., username or computer name).
2. Click Find Now to see the search results.

Searching for Objects in AD Page 1 of 3

2. Advanced Search for Object Location

By default, the search results will not display the full path of the object in the AD
structure. To find where the object is located:

Step 1: Enable Advanced Features

1. In Active Directory Users and Computers, click View from the top
navigation bar.
2. Select Advanced Features to enable it.

Step 2: Search Using Advanced Features

1. Click the Search icon located below the View text (located in the second row
under the File menu).
2. Type the object name you want to find (e.g., username or computer name) and
click Find Now.
3. Right-click the desired object from the search results and select Properties.
4. In the Properties window, go to the Object tab.
5. Here, you can view the Object Path showing the exact location of the user,
group, or computer within the AD structure.

3. Using Wildcard Search in Active Directory

Wildcard search allows you to search for objects using partial names.

Step 1: Search for Computers Using Wildcards

1. In Active Directory Users and Computers, click the Find button (located in
the second row under the File menu).
2. Under Find, select Computers from the dropdown.
3. Under In, select your domain (e.g., kibria.local).
4. In the Computer Name field, type a wildcard search term. For example:
o *WS* (This will search for all computer names containing the letters
"WS" anywhere in the name).
5. Click Find Now to see the results.

Searching for Objects in AD Page 2 of 3

Step 2: Moving the Computer to a Different OU

1. In the search results, right-click the desired computer name.

2. Select Move.
3. In the Move dialog, expand the OU you created in the previous documentation
(e.g., Test OU) and select the Domain Computers OU.
4. Click OK.

Step 3: Verify the Move

1. Navigate to the Domain Computers OU under Test OU.

2. Press F5 to refresh the view.
3. You should now see the computer name listed under Domain Computers,
confirming the move was successful.

Completion

This documentation outlines the steps to search for objects, find their location, and use
wildcard searches within Active Directory. It provides a clear guide for both basic and
advanced search features and object management.

¯ \_(ツ)_/¯

Searching for Objects in AD Page 3 of 3

 Resetting a User Password and Unlocking Accounts in Active
Directory (AD)

This guide explains how to reset a user password and unlock a user account within
Active Directory (AD).

1. Resetting a User Password in Active Directory

Step 1: Open Active Directory Users and Computers

1. From Server Manager, click Tools.

2. Select Active Directory Users and Computers.

Step 2: Find the User Account

1. In the Active Directory Users and Computers window, click the Find
Objects icon located in the second row (search icon).
2. Enter the name of the user who lost their password in the search field.
3. Click Find Now to search for the user.

Step 3: Verify the User

1. In the search results, right-click the user’s name and select Properties.
2. Go to the Account tab.
3. Verify the user’s name to ensure the correct account is selected.
4. Click Cancel to exit.

Step 4: Reset the Password

1. Right-click the user’s name again and select Reset Password.

2. In the dialog box, enter a new password for the user.
3. Click OK to confirm the password reset.

Resetting a User Password and Unlocking Acc Page 1 of 2

2. Unlocking a User Account in Active Directory

If the user account is locked and a password reset is not required, you can unlock the
account using the following steps:

Step 1: Open Active Directory Users and Computers

1. From Server Manager, click Tools.

2. Select Active Directory Users and Computers.

Step 2: Find the Locked User Account

1. In the Active Directory Users and Computers window, click the Find
Objects icon located in the second row (search icon).
2. Enter the name of the locked user in the search field.
3. Click Find Now to search for the user.

Step 3: Unlock the User Account

1. In the search results, right-click the user’s name and select Properties.
2. Go to the Account tab.
3. Check the box labeled Unlock Account (this option is only visible if the
account is locked).
4. Click Apply, then click OK.

Completion: This documentation provides step-by-step instructions for resetting a

user password and unlocking a user account in Active Directory. It ensures that anyone
can easily follow these steps for user account management in AD.

¯ \_(ツ)_/¯

Resetting a User Password and Unlocking Acc Page 2 of 2

Understanding Groups and Memberships in Active Directory (AD)

This guide covers how to create a new security group, add members to the group, and
manage group memberships in Active Directory (AD). It also explains the difference
between the Members and Member Of tabs.

1. Creating a New Security Group in Active Directory

Step 1: Open Active Directory Users and Computers

1. From Server Manager, click Tools.

2. Select Active Directory Users and Computers.

Step 2: Navigate to the Domain Users OU

1. In the Active Directory Users and Computers window, expand the domain
name (e.g., kibria.local).
2. Expand the OU (Organizational Unit) we created earlier (e.g., instructorpaul)

Step 3: Create a New Security Group

1. Right-click the Domain Users OU.

2. Select New, then click Group.
3. Enter the Group Name (e.g., Sales).
4. Under Group Scope, select Global.
5. Under Group Type, select Security.
6. Click OK.

Step 4: Configure Group Properties

1. Right-click the newly created Sales group.

2. Select Properties.
3. Add a Description if needed, then click OK.

Creating Groups and Memberships Page 1 of 3

2. Adding Members to the Security Group

Step 1: Open the Members Tab

1. Right-click the Sales group and select Properties.

2. Go to the Members tab.
3. Click Add to add members to the group.

Step 2: Add Users as Group Members

1. In the Enter the object names to select field, type the name of the user you
want to add (this user was created in the previous documentation).
2. Click Check Names to ensure the correct user is selected.
3. Click OK. The user will now be listed as a member of the Sales group.
4. Click OK to confirm.

Step 3: Verify Group Membership

1. Right-click the user name.

2. Select Properties.
3. Go to the Member Of tab.
4. You will see that the user is now part of the Sales group.

3. Deleting a Group

If you want to delete the group, follow these steps:

1. Right-click the Sales group.

2. Select Delete.
3. Confirm the deletion by clicking Yes.

Creating Groups and Memberships Page 2 of 3

4. Understanding the Difference Between the Members and Member Of
Tabs

 Members Tab: This tab is used to add individual members (users, computers)
directly to the group. It shows all the users who are part of this specific group.
 Member Of Tab: This tab shows which groups a particular user (or group)
belongs to. You can also add the group itself as a member of another group here.
For example, if you want the Sales group members to also be members of the
Customer Service group, you can:
1. Open the Sales group properties.
2. Go to the Member Of tab.
3. Click Add, and type the name of the Customer Service group.
4. Click Check Names, and click OK. Now, the Sales group will also be
part of the Customer Service group.

Completion

This documentation explains how to create and manage security groups, add members
to groups, and understand group membership within Active Directory, ensuring an
easy-to-follow process for anyone managing AD groups.

¯ \_(ツ)_/¯

Creating Groups and Memberships Page 3 of 3

Disabling and Deleting User Accounts in Active Directory (AD)

This guide provides step-by-step instructions for creating an Organizational Unit (OU)
for disabled user accounts, how to disable user accounts, and how to re-enable and
move them back to their original OU in Active Directory (AD).

1. Creating a New Organizational Unit (OU) for Disabled Users

Step 1: Open Active Directory Users and Computers

1. From Server Manager, click Tools.

2. Select Active Directory Users and Computers.

Step 2: Navigate to the Existing OU

1. In the Active Directory Users and Computers window, expand the domain
name (e.g., kibria.local).
2. Expand the OU that you created earlier (e.g., InstructorPaul).
3. Right-click the OU name that contains Domain Computers and Domain Users
OUs.

Step 3: Create a New Organizational Unit for Disabled Users

1. Right-click the OU (e.g., InstructorPaul), then select New > Organizational

Unit.
2. Name the new OU: Disabled Users.
3. Click OK. You will now see a new OU called Disabled Users under the
selected OU.

2. Disabling a User Account

Step 1: Disable the User Account

1. Click on the Domain Users OU (the one containing your users).

2. In the right-hand panel, you will see the list of users.
3. Right-click the user you want to disable.
4. Select Disable Account.

Disabling and Deleting User Accounts Page 1 of 2

 5. Click OK to confirm.

Step 2: Move the Disabled User to the Disabled Users OU

1. Select the disabled user account by clicking on it.

2. Drag and drop the user account into the Disabled Users OU.
3. A confirmation pop-up window will appear. Click Yes.
4. The disabled user account will now be listed under the Disabled Users OU.

3. Enabling a Disabled User Account

Step 1: Re-enable the User Account

1. Navigate to the Disabled Users OU.

2. Right-click the disabled user account.
3. Select Enable Account.
4. A pop-up window will appear to confirm the action. Click Yes.

Step 2: Move the User Back to the Original OU

1. After enabling the account, drag and drop the user account from the Disabled
Users OU back to the Domain Users OU (or whichever OU the user originally
belonged to).
2. Press F5 to refresh, and you should now see the user back in the Domain Users
OU.

Completion

This documentation provides clear steps on how to disable, move, re-enable, and
relocate user accounts within Active Directory. It is useful for managing inactive or
disabled users while ensuring they can be re-enabled and placed back into their correct
OU when necessary.

¯\_(ツ)_/¯

Disabling and Deleting User Accounts Page 2 of 2

 Creating and Linking Group Policy Objects (GPO) in Active
Directory (AD)

This documentation explains how to create, link, and delete Group Policy Objects
(GPOs) in Active Directory using two methods. It also includes a scenario where we
apply the GPO to domain users and computers.

Method 1: Creating and Linking GPO Directly from Domain

Step 1: Open Group Policy Management

1. From Server Manager, click Tools.

2. Select Group Policy Management.

Step 2: Navigate to Domain

1. In the Group Policy Management window, expand your domain (e.g.,

kibria.local).
2. Continue expanding by clicking Domains > inspaul.com (example domain).

Step 3: Create and Link a GPO

1. Right-click the domain name (e.g., inspaul.com).

2. Select Create a GPO in this domain, and Link it here.
3. In the pop-up window, name the GPO (e.g., TestGPO).
4. Leave the Source Starter GPO field as None, then click OK.
5. You will now see TestGPO under the domain name.

Step 4: Delete the GPO Link

1. Right-click TestGPO under the domain name.

2. Select Delete. Confirm the action by clicking Yes on the pop-up.
3. Note: This only deletes the link to the GPO, not the GPO itself.

Step 5: Permanently Delete the GPO

1. In the Group Policy Objects section (found under the domain), expand it to see
the TestGPO.
2. Right-click TestGPO and select Delete.

Topic name Page 1 of 3

 3. Confirm the deletion by clicking Yes in the pop-up window. This will
permanently delete the GPO.

Method 2: Creating a GPO and Linking it Manually

Step 1: Create a GPO Without Linking

1. In the Group Policy Management window, right-click Group Policy Objects.

2. Select New.
3. Name the GPO (e.g., TestGPO) and leave Source Starter GPO as None.
4. Click OK to create the GPO.

Step 2: Link an Existing GPO to the Domain

1. In the Domains section, right-click inspaul.com (or your domain name).

2. Select Link an Existing GPO.
3. In the pop-up window, select TestGPO from the Group Policy Object list.
4. Click OK.

Step 3: Delete the GPO Link

1. Under the Default Domain Policy, right-click TestGPO.

2. Select Delete to remove the link.
3. Click OK to confirm.

Scenario: Applying GPO to Domain Users and Computers

In this scenario, we apply TestGPO to the Domain Users and Domain Computers
Organizational Units (OUs).

Step 1: Expand Domain and OUs

1. In the Group Policy Management window, expand Domain Controllers.

2. Expand the OUs (e.g., Inspaul) to see the sub-OUs: Users, Computers, and
Disabled Users.

Step 2: Link GPO to Domain Computers

Topic name Page 2 of 3

 1. Right-click the Domain Computers OU.
2. Select Link an Existing GPO.
3. Choose TestGPO from the list and click OK.

Step 3: Link GPO to Domain Users

1. Right-click the Domain Users OU.

2. Select Link an Existing GPO.
3. Choose TestGPO and click OK.

Exploring GPO Settings

After creating and linking the GPO, you can explore its settings to understand its
behavior:

1. Select the TestGPO under the domain or OU.

2. Explore tabs like Scope, Details, Settings, and Delegation to view its
configurations and permissions.

Conclusion

This documentation provides a clear step-by-step guide for creating, linking, and
managing Group Policy Objects (GPOs) in Active Directory. By following these
instructions, you can easily apply policies to different OUs and manage your domain
efficiently.

¯ \_(ツ)_/¯

Topic name Page 3 of 3

 Editing Group Policy Objects (GPOs) in Active Directory (AD)

This documentation explains how to edit a Group Policy Object (GPO) and modify
specific settings, such as disabling certain security policies. The instructions use a
practical example involving disabling the "Prevent local guests group from accessing
application log" policy.

Step-by-Step Guide: Editing a GPO

Step 1: Open Group Policy Management

1. From Server Manager, click Tools.

2. Select Group Policy Management.

Step 2: Navigate to the GPO to Edit

1. In the Group Policy Management window, expand the Forest (e.g.,

kibria.local).
2. Continue expanding the following:
o Domains
o Your domain name (e.g., inspaul.com)
o Expand the OU where the GPO is applied (e.g., inspaul OU).
o Expand the Domain Users sub-OU.
3. Right-click the TestGPO under the Domain Users OU.
4. Select Edit.

Step 3: Modify Computer Configuration Policies

1. In the Group Policy Management Editor window, expand the following:

o Computer Configuration
o Policies
o Windows Settings
o Security Settings
o Local Policies
2. Click on Event Log under Local Policies.

Topic name Page 1 of 2

Step 4: Disable Specific Security Setting

1. Right-click on Prevent local guests group from accessing application log.

2. Select Properties.
3. In the Security Policy Setting tab, click Disable.
4. Click OK to save your changes.

Step 5: Verify the Policy Change

1. Minimize the Group Policy Management Editor window.

2. In the Group Policy Management window, find the TestGPO under your
domain.
3. Select TestGPO and go to the Settings tab.
4. If needed, refresh the Settings tab to apply the changes.
5. Expand the policy settings and verify that the log option is set to Disabled
under the modified policy.

Conclusion

This documentation provides a clear step-by-step guide for editing Group Policy
Objects (GPOs) in Active Directory. By following these instructions, you can modify
specific policies, such as security settings, and ensure the changes are reflected
properly in your domain’s policy settings.

¯ \_(ツ)_/¯

Topic name Page 2 of 2

 Creating and Configuring a Non-Inheriting Organizational Unit
(OU) in Active Directory

This documentation provides step-by-step instructions on creating a non-inheriting OU,

applying Group Policy Objects (GPOs), and verifying the policy application.

Step 1: Create a Non-Inheriting Organizational Unit (OU)

1. Open Active Directory Users and Computers

o From Server Manager, click Tools.
o Select Active Directory Users and Computers.
2. Expand the Domain
o In the Active Directory Users and Computers window, expand
kibria.local.
3. Create a New OU
o Right-click the Test OU (or the OU where you want to create a new
one).
o Select New > Organizational Unit.
o Enter a name for the OU (Non Inheriting).
o Check the Protect container from accidental deletion box.
o Click OK.
4. Move User into Non-Inheriting OU
o Click Users at the bottom of the pane.
o Drag the user named Administrator (or any other user) into the newly
created Non Inheriting OU.
o Click Yes in the pop-up confirmation window.

Step 2: Edit Group Policy Settings

1. Open Group Policy Management

o From Server Manager, click Tools.
o Select Group Policy Management.
2. Edit Default Domain Policy
o Expand the following in Group Policy Management:
 Forest
 Domains

Non Inheriting OU Page 1 of 3

  kibria.local
 Test OU (or the OU where the policy is applied)
o Right-click Default Domain Policy.
o Select Edit.
3. Configure Policy Settings
o In the Group Policy Management Editor, navigate to:
 User Configuration
 Policies
 Administrative Templates
 Desktop
o Double-click Disable Active Desktop.
o Select Enable.
o Click Apply, then OK.
o Close the Group Policy Management Editor.
4. Update Group Policy
o Open Command Prompt.
o Run: gpupdate to update the policy.
o Run: gpresult /r to verify the applied policies.
5. Create and Configure a New GPO
o In the Group Policy Management window, right-click the Non
Inheriting OU.
o Select Create a GPO in this domain, and Link it here.
o Name the GPO TestGPO.
o Click OK.
6. Edit the New GPO
o Right-click the TestGPO.
o Select Edit.
o In the Group Policy Management Editor, navigate to:
 User Configuration
 Preferences
 Windows Settings
 Folders
o Right-click Folders (at the white part of right side).
o Select New > Folder.
o Set the Action to Update.
o Enter the Path as C:\TestFolder.
o Click Apply, then OK.
7. Force Policy Update
o Open Command Prompt.

Non Inheriting OU Page 2 of 3

 o Run: gpupdate /force to enforce the policy update.
o Run: gpresult /r to verify the updated policies.
8. Block Inheritance
o In the Group Policy Management window, right-click the Non
Inheriting OU.
o Select Block Inheritance.

Step 3: Verify and Clean Up

1. Verify Non-Inheritance
o Open Active Directory Users and Computers.
o Check the Non Inheriting OU.
o Ensure that the Administrator or any moved user does not show any
inheritance errors or issues.
2. Restore Active Desktop Setting
o Return to Group Policy Management.
o Edit the TestGPO.
o Navigate to User Configuration > Policies > Administrative
Templates > Desktop.
o Set Disable Active Desktop to Not Configured.
o Click Apply, then OK.
3. Move User Back
o In Active Directory Users and Computers, locate the Non Inheriting
OU.
o Drag and drop the Administrator user (or any other user) into the Users
container at the bottom-left side.
o Click Yes in the pop-up confirmation window.

Conclusion: This documentation outlines the process for creating and configuring a
non-inheriting Organizational Unit (OU) in Active Directory, including setting up and
managing Group Policy Objects (GPOs). By following these steps, you can effectively
manage user policies and settings in your domain.

¯\_(ツ)_/¯

Non Inheriting OU Page 3 of 3

 Deploying a Desktop Background via Group Policy

This guide explains how to deploy a desktop background for users across multiple
PCs within the same network by sharing the image and applying the configuration
using Group Policy.

Step 1: Set Up the Desktop Background Image on the Server

1. Create a Folder for the Background Image

o On the C: drive of the server or admin PC, create a folder named

Desktop Background.

o Paste the desired background image (e.g., bg.jpg) into this folder.

2. Share the Folder on the Network

o Right-click the Desktop Background folder.

o Click Properties > go to the Sharing tab.

o Click Advanced Sharing.

o Check the box for Share this folder.

o Click Permissions.

 Remove any existing permissions.

 Click Add.

 In the field that appears, type Authenticated Users.

 Click Check Names > OK.

 Ensure that Authenticated Users have Read permission.

o Click Apply > OK.

o In the Advanced Sharing window, click Apply > OK.

o Close the properties window.

Now the folder is shared, and other PCs on the same network can access it.

Deploying a Desktop Background Page 1 of 4

Step 2: Verify the Folder Access from Another PC
1. Access the Shared Folder from Another PC

o Go to another PC on the same network.

o Open File Explorer.

o In the address bar, type \\IPDC01 (where IPDC01 is the name or IP

address of the server/PC hosting the shared folder).

o Press Enter.

o You should see the Desktop Background folder displayed in the File
Explorer under the Network section.

Step 3: Create and Configure the Group Policy Object (GPO)

1. Open Group Policy Management

o From Server Manager, click Tools.

o Select Group Policy Management.

2. Create a New GPO for Desktop Background

o In the Group Policy Management window, expand the following:

 Forest

 Domains

 kibria.local

o Right-click kibria.local and select Create a GPO in this domain,

and Link it here.

o Name the GPO Desktop Background.

o Click OK.

3. Edit the Desktop Background GPO

o In Group Policy Management, expand the Group Policy Objects

folder.

Deploying a Desktop Background Page 2 of 4

 o Right-click the newly created Desktop Background GPO and select
Edit.

4. Configure the Desktop Background Policy

o In the Group Policy Management Editor, navigate to:

 User Configuration

 Policies

 Administrative Templates

 Desktop

 Desktop

o Double-click Desktop Wallpaper.

o Set it to Enabled.

o In the Wallpaper Name field, type the full path of the shared
wallpaper, such as C:\Desktop Background\bg.jpg.

 Note: Ensure the path is accessible by copying the path into a

browser to verify that the image loads properly.

o Click Apply, then OK.

Step 4: Apply the Group Policy

1. Update Group Policy on the Server

o Open Command Prompt.

o Run the following commands to update the Group Policy:

gpupdate /force

gpresult /r

o This ensures that the policy is applied correctly to the domain.

Deploying a Desktop Background Page 3 of 4

Step 5: Verify the Desktop Background Deployment
1. Log Out from the Admin PC

o Log out from the Admin PC where the policy was configured.

2. Sign In from Another PC

o Log in to another PC within the same network (one that belongs to

the same domain).

o The wallpaper should now be automatically applied as per the Group

Policy configuration.

Conclusion

By following these steps, you can successfully deploy a desktop background across
multiple PCs on the same network using Group Policy in Active Directory. This
method allows for centralized control of user desktops, ensuring consistency across
the organization.

¯\_(ツ)_/¯

Deploying a Desktop Background Page 4 of 4

 Setting Up a Logon Banner via Group Policy
This guide outlines the process of setting up an interactive logon banner for users
attempting to log on to a domain, using Group Policy in Active Directory.

Step 1: Open Group Policy Management

1. Open Server Manager.

2. Click on Tools in the top-right corner.

3. Select Group Policy Management.

Step 2: Create and Link a New Group Policy Object (GPO)

1. In the Group Policy Management window, expand the following:

o Forest

o Domains

o kibria.local

2. Right-click kibria.local, and select Create a GPO in this domain, and

Link it here.

3. In the Name field, type Interactive Logon.

4. Click OK.

Step 3: Edit the Interactive Logon GPO

1. In Group Policy Management, locate the newly created Interactive Logon

GPO under kibria.local.

2. Right-click the Interactive Logon GPO and select Edit.

Step 4: Configure the Logon Banner Policy

1. In the Group Policy Management Editor, navigate to:

o Computer Configuration

Setting Up a Logon Banner via Group Policy Page 1 of 3

 o Policies

o Windows Settings

o Security Settings

o Local Policies

o Security Options

2. Set Logon Message Title:

o In the Security Options section, find Interactive logon: Message

title for users attempting to log on.

o Double-click it to open its properties.

o Check Define this policy setting.

o In the text field, type Warning (or any title you want to display).

o Click OK.

3. Set Logon Message Text:

o In the Security Options section, find Interactive logon: Message

text for users attempting to log on.

o Double-click it to open its properties.

o Check Define this policy setting.

o In the text field, type the message you want to display, such as Hello,
thank you for using this system.

o Click OK.

Step 5: Apply the Group Policy

1. Update Group Policy:

o Open Command Prompt.

o Run the following command to update the Group Policy:

gpupdate /force

2. Log Off:

Setting Up a Logon Banner via Group Policy Page 2 of 3

 o Run the following command to log off: logoff

Step 6: Verify the Logon Banner

1. Attempt to Log In:

o After logging off, press Ctrl + Alt + Delete on the login screen.

o You should now see the Warning title and the Hello, thank you
message displayed on the logon screen.

o Click OK to proceed to the login prompt.

Conclusion

By following these steps, you have successfully set up an interactive logon banner
that will display a custom message whenever users attempt to log on. This can be
used to show important warnings or messages for all users across the domain.

¯\_(ツ)_/¯

Setting Up a Logon Banner via Group Policy Page 3 of 3

 Deploying Software with Group Policy
This guide will explain how to deploy software (e.g., 7-Zip) to multiple computers
in a domain using Group Policy.

Step 1: Prepare the Software for Deployment

1. Create a Shared Folder:

o Create a folder on the C: drive named Software (e.g., C:\Software).

o Paste the 7-Zip MSI file (or any software in MSI format) inside this
folder.

2. Share the Folder:

o Right-click the Software folder and select Properties.

o Go to the Sharing tab, then click Advanced Sharing.

o Check Share this folder.

o Click Permissions, then remove any existing entries by clicking

Remove.

o Click Add, type Authenticated Users, then click Check Names.

o Click OK, make sure Authenticated Users have Read permission.

o Click Apply, then OK, and close the advanced sharing settings.

Step 2: Create a Group Policy Object (GPO) for Software Deployment

1. Open Group Policy Management:

o Open Server Manager.

o Click Tools in the top-right corner and select Group Policy

Management.

2. Create and Link a New GPO:

o In Group Policy Management, expand Forest and kibria.local.

o Right-click kibria.local and select Create a GPO in this domain,

and Link it here.
Deploying Software with Group Policy Page 1 of 4
 o In the Name field, type SoftDeployment, then click OK.

3. Edit the GPO for Software Deployment:

o In Group Policy Management, locate the SoftDeployment GPO

under kibria.local.

o Right-click SoftDeployment and select Edit.

Step 3: Configure Software Deployment Settings

1. Navigate to the Software Installation Settings:

o In the Group Policy Management Editor, expand the following:

 Computer Configuration

 Policies

 Software Settings

2. Deploy the Software:

o Right-click Software Installation, select New > Package.

o In the Open window, type the network path to the shared folder you
created (e.g., \\IPDC01\Software).

o Select the 7-Zip MSI package and click Open.

o In the Deploy Software dialog box, select Assigned, then click OK.

3. Verify the Software in GPO:

o Under Computer Configuration > Policies > Software Settings,

you should see the 7-Zip package listed under Software Installation.

o Close the Group Policy Management Editor.

Step 4: Apply the Group Policy

1. Update Group Policy:

Deploying Software with Group Policy Page 2 of 4

 o Press Windows + D to open the desktop.

o Open Command Prompt and run the following command to update

Group Policy: gpupdate /force

2. Restart the Computer:

o You may be prompted to restart the computer. Press Y when asked.

o Alternatively, you can restart manually by running this command:

shutdown -r -t 0

Step 5: Verify the Software Installation

1. Log In as Admin:

o Once the computer restarts, log in with an admin account.

2. Check for 7-Zip Installation:

o Open Start Menu and search for 7-Zip.

o You should see 7-Zip installed on the system.

Important Notes:

 Deploying Software via Computer Configuration: When deploying

software under Computer Configuration, a system reboot is required for
the software installation to take effect on all computers in the domain.

 Deploying Software via User Configuration: Alternatively, you can deploy

the software under User Configuration. In this case, the software will install
every time the user logs into a different computer. However, deploying under
Computer Configuration ensures the software is installed on all machines,
regardless of the user accounts.

Conclusion

By following these steps, you have successfully deployed the 7-Zip software to all
computers in the domain using Group Policy. This method ensures centralized and
Deploying Software with Group Policy Page 3 of 4
automated software deployment across multiple machines, saving time and effort in
manual installations.

¯\_(ツ)_/¯

Deploying Software with Group Policy Page 4 of 4

 Configuring Roaming Profiles for User Accounts

This guide provides step-by-step instructions to configure roaming profiles for user
accounts in a domain. Roaming profiles allow user settings and files to move with the
user across different machines within the network.

Step 1: Create a Shared Folder for Roaming Profiles

1. Open Server Manager:

o Go to Server Manager and select File and Storage Services.
2. Create a New Shared Folder:
o Click Shares in the left menu.
o Right-click the blank area and select New Share.
o Choose SMB Share - Quick, then click Next.
o Select the server and the data volume (e.g., C: or E:), then click Next.
3. Configure the Share:
o In the Share Name field, enter Profiles$ (the dollar sign makes the
share hidden).
o Click Next.
o On the next page, check the following three boxes:
 Enable Access-Based Enumeration
 Allow Caching of Share
 Encrypt Data Access
o Click Next.
4. Set Permissions:
o Click Customize Permissions.
o In the Advanced Security Settings window, click Disable Inheritance.
o Select Convert Inherited Permissions into Explicit Permissions on
this Object.
o Remove the two default users under Permission Entries.
o Click Apply.

Step 2: Create a Domain Group for Roaming Profile Users

1. Open Active Directory Users and Computers (ADUC):

Roaming Profile for User Accounts Page 1 of 4

 o In Server Manager, click Tools and select Active Directory Users and
Computers.
2. Create a New Organizational Unit (OU):
o Navigate to kibria.local.
o Right-click the Test OU, select New, then Organizational Unit (OU).
o Name the new OU Domain Groups.
3. Create a Security Group for Roaming Profile Users:
o Right-click the Domain Groups OU, select New > Group.
o Name the group Roaming Profile Users.
o Set Group Scope to Global and Group Type to Security.
o Click OK.
4. Add Users to the Group:
o Double-click the Roaming Profile Users group.
o Go to the Members tab and click Add.
o Enter the username (e.g., Kibria), click Check Name, then OK.
o Click Apply, then OK.

Step 3: Configure Permissions for the Profiles Share

1. Resume from Step 1:

o Continue from the last part of Step 1 after setting permissions.
2. Add User Permissions:
o In Advanced Security Settings for Profiles$, click Add.
o Select Select a Principal.
o Enter the group name Roaming Profile Users, click Check Names,
then OK.
3. Configure Advanced Permissions:
o Uncheck all basic permissions.
o Click Show Advanced Permissions on the right.
o Check the following:
 List Folder/Read Data
 Create Folders/Append Data
o In the Applies To dropdown, select This folder only.
o Click OK, then Apply.
4. Edit Administrator Permissions:
o Click the Administrator entry and select Edit.
o In the Applies To dropdown, select This folder only.

Roaming Profile for User Accounts Page 2 of 4

 o Click OK, then Apply.
o Click Next, then Create, and Close the wizard.

Step 4: Assign Roaming Profiles to Users

1. Open Active Directory Users and Computers (ADUC):

o Open ADUC and navigate to the Roaming Profile Users group.
o Double-click the user (e.g., Paul Hill) in the Members tab.
2. Configure the Roaming Profile Path:
o Go to the Profile tab.
o In the Profile Path field, enter the UNC path to the profile share. For
example:

\\IPDC01\Profiles$\paul.hill

o Click Apply, then OK.

Step 5: Test Roaming Profiles

1. Log in as the User:

o Log in as Paul Hill (or the assigned user account).
2. Check the Profile Status:
o Open Control Panel > System and Security > System.
o Click Advanced System Settings > Advanced tab.
o Under User Profiles, click Settings.
o You should see the Roaming Profile listed.
3. Create Test Files:
o Create a new folder (e.g., Demo Folder) and a text file inside it on the
desktop.
4. Log Out and Log In as Another User:
o Log out from Paul Hill and log in as another user.
o When logged in, you should be able to see the Demo Folder and text
file created earlier by Paul Hill.

Roaming Profile for User Accounts Page 3 of 4

Conclusion

By following these steps, you have successfully configured roaming profiles for your
domain users. This allows users' settings, documents, and profiles to follow them
regardless of which computer they log into within the network, ensuring a consistent
user experience across devices.

I'm just going to call this profiles and I'm going to add the dollar sign by hitting shift.
And the number four. Now what this does is it makes the folder hidden so that it's not
easily viewable by people who are just browsing this share path right here.

A non inheriting OU means that the organizational unit is not going to inherit any
group policy objects that are not directly linked to the organizational unit except for
those group policy objects that are enforced.

¯ \_(ツ)_/¯

Roaming Profile for User Accounts Page 4 of 4

 Automatically Map Network Share Drives with Group Policy

This guide demonstrates how to create network shares for different user groups and
map these shares to user accounts automatically using Group Policy. Additionally, it
outlines how to restrict access between different groups so that users in one group
cannot access the shared drive of another group.

Step 1: Create User Groups in Active Directory

1. Open Active Directory Users and Computers (ADUC):

o In Server Manager, go to Tools and select Active Directory Users
and Computers.
2. Create User Groups:
o Navigate to kibria.local > TestOU.
o Right-click on TestOU and select New > Group.
o Name the first group GroupA. Set Group Scope to Global and Group
Type to Security. Click OK.
o Repeat the process to create another group named GroupB.
3. Add Users to Groups:
o Double-click GroupA, go to the Members tab, and click Add.
o Type the user name (e.g., Kibria), click Check Name, then OK.
o Repeat the process for GroupB and add the user Robert. (follow steps 4
and 5)
4. Create New Users:
o Right-click Domain Users, select New > User, and create a user named
Robert with a password.
5. Assign Robert to GroupB:
o Double-click GroupB, go to the Members tab, click Add, type Robert,
and click Check Name > OK.

Step 2: Create Network Shares for User Groups

1. Open Server Manager:

o In Server Manager, select File and Storage Services > Shares.
2. Create a Network Share for GroupA:
o Right-click the blank area in Shares and select New Share.

Map Network Share Drives Page 1 of 4

 o Choose SMB Share - Quick, then click Next.
o Select the server and data volume (C: or E:), then click Next.
o Name the share GroupA, then click Next.
3. Configure Share Permissions for GroupA:
o Check Allow Caching of Share, then click Next.
o Click Customize Permissions, then click Disable Inheritance.
o Choose Convert Inherited Permissions into Explicit Permissions on
this Object.
o Remove the two default user accounts.
o Click Add, select Principal, and type GroupA, then click Check
Names > OK.
o Grant GroupA the following permissions:
 Read & Execute
 List Folder Contents
 Read
 Write
o Click OK, then Apply, and OK to finalize the permission settings.
o Click Next, then Create, and Close.
4. Create a Network Share for GroupB:
o Repeat the exact steps above to create a network share for GroupB,
following the same permissions setup but using GroupB as the assigned
group.

Step 3: Restrict Access to Shares

 By setting permissions only for GroupA on the GroupA share and GroupB on
the GroupB share, the access between groups is restricted automatically. Users
from GroupA cannot access GroupB's share, and vice versa.

Step 4: Automatically Map Drives with Group Policy

1. Open Group Policy Management:

o Go to Tools > Group Policy Management.
2. Create Group Policy Objects (GPOs) for Drive Mapping:
o Expand Forest > Domains > kibria.local > TestOU.
o Right-click TestOU and select Create a GPO in this Domain.

Map Network Share Drives Page 2 of 4

 o Name the first GPO GroupA Map Drive, then click OK.
o Right-click the newly created GPO and select Edit.
3. Configure Drive Mapping for GroupA:
o In the Group Policy Management Editor, expand User Configuration
> Preferences > Windows Settings > Drive Maps.
o Right-click Drive Maps, select New > Mapped Drive.
o In the Location field, click Browse and select the GroupA share (e.g.,
\\IPDC01\GroupA), then click OK.
o Check Reconnect and choose Use first available drive letter.
o Click Common in the properties window, then select Item-Level
Targeting.
o Click Targeting and add a condition to only apply this policy to
GroupA users:
 Click New Item > Security Group.
 In the Group field, type GroupA and click OK.
o Click Apply and OK to finish the configuration.
4. Repeat for GroupB:
o Repeat the same process to create a GPO for GroupB named GroupB
Map Drive.
o Map GroupB's share (e.g., \\IPDC01\GroupB) and apply targeting to
GroupB.

Step 5: Delegate Permissions for Mapped Drives

1. Delegate Permissions for GroupA Mapped Drive:

o Go to the Delegation tab of GroupA Mapped Drive in Group Policy
Management.
o Click Add, then type Authenticated Users, click Check Names, and
OK.
2. Repeat for GroupB:
o Repeat the above steps for GroupB Mapped Drive.

Step 6: Update Group Policy and Test Drive Mapping

1. Log in as a User from GroupA:

o Log in to Paul Hill's user account (who belongs to GroupA).

Map Network Share Drives Page 3 of 4

 o Open Command Prompt and run the following command to update
group policies:

bash
Copy code
gpupdate /force

2. Check Mapped Drive:

o Open File Explorer and check This PC.
o You should see GroupA's shared drive automatically mapped under
Network Locations.
3. Log in as a User from GroupB:
o Log in to Robert's user account (who belongs to GroupB).
o Repeat the process with gpupdate /force.
o Check This PC for GroupB's mapped drive under Network Locations.
4. Verify Access Restrictions:
o Users from GroupA will not have access to GroupB's shared drive and
vice versa, confirming that access is properly restricted based on group
membership.

Conclusion

By following these steps, you've successfully created network shares for different user
groups and mapped them automatically using Group Policy. Access to each network
share is restricted to members of the respective group, ensuring that GroupA cannot
access GroupB's shared drive and vice versa. This setup streamlines resource
management and enhances security across the domain.

¯ \_(ツ)_/¯

Map Network Share Drives Page 4 of 4

 Domain Password and Account Lockout Policies Using Group
Policy

This guide outlines how to configure domain password and account lockout policies
using Group Policy in Active Directory. The goal is to enforce secure password
practices and prevent users from using weak or insecure passwords, as well as ensure
account lockout measures are in place to prevent unauthorized access attempts.

Step 1: Access Group Policy Management

1. Open Group Policy Management:

o In Server Manager, go to Tools and select Group Policy Management.
2. Navigate to the Default Domain Policy:
o Expand Forest > Domains > kibria.local.
o Locate the Default Domain Policy.
3. Open the Default Domain Policy for Editing:
o Right-click on the Default Domain Policy and select Edit.

Step 2: Configure Password Policy

1. Navigate to Password Policy Settings:

o In the Group Policy Management Editor, expand:
 Computer Configuration > Policies > Windows Settings >
Security Settings > Account Policies > Password Policy.
2. Set Password Policy Options:
o Configure the following password settings based on your security
requirements:
 Enforce Password History: Set this to 24 to prevent users from
reusing their last 24 passwords.
 Maximum Password Age: Defines how long a password can be
used before it must be changed. Example: 90 days.
 Minimum Password Age: Set to 0 days so that users can reset
their password immediately after changing it if needed.
 Minimum Password Length: Set a length such as 8 characters
to enforce strong passwords.

Password and Account Lockout Policy Page 1 of 4

  Password Must Meet Complexity Requirements: Ensure this
is set to Enabled to require users to use complex passwords (e.g.,
a mix of uppercase, lowercase, numbers, and symbols).
 Store Passwords Using Reversible Encryption: Ensure this is
set to Disabled. This is important because storing passwords
with reversible encryption is a significant security vulnerability.
3. Apply Settings:
o After configuring the desired settings, click Apply and OK to save the
changes.

Step 3: Configure Account Lockout Policy

1. Navigate to Account Lockout Policy Settings:

o Still in the Group Policy Management Editor, go to:
 Computer Configuration > Policies > Windows Settings >
Security Settings > Account Policies > Account Lockout
Policy.
2. Set Account Lockout Policy Options:
o Configure the following account lockout settings:
 Account Lockout Threshold: This setting defines how many
failed login attempts are allowed before the account is locked.
Example: 5 attempts.
 Account Lockout Duration: Defines how long an account will
remain locked out before it is automatically unlocked. Example:
30 minutes.
 Reset Account Lockout Counter After: Set this to 15 minutes
to reset the counter after this time has passed without failed login
attempts.
3. Apply Settings:
o After configuring the lockout policies, click Apply and OK.

Step 4: Force Group Policy Update

1. Update the Policy on Client Computers:

o Open Command Prompt on a client machine and run the following
command to apply the new Group Policy settings immediately:

Password and Account Lockout Policy Page 2 of 4

 bash
Copy code
gpupdate /force

2. Verify Policy Enforcement:

o After updating Group Policy, test by attempting to log in with an
incorrect password multiple times. After the defined number of failed
attempts (e.g., 5), the account should lock.

Step 5: Unlock a Locked Account

1. Unlock the Locked User Account:

o In Server Manager, go to Tools > Active Directory Users and
Computers (ADUC).
o Navigate to kibria.local > TestOU > Domain Users.
o Double-click on the locked user (e.g., Paul Hill).
o In the Account tab, check the Unlock Account option and click OK.

Best Practices and Notes:

1. Password History:
By setting Enforce Password History to 24, users will not be able to reuse
their last 24 passwords. This encourages users to use new and secure passwords.
2. Password Age:
Setting the Minimum Password Age to 0 allows users to reset their password
immediately if necessary, but still enforces the complexity and history rules.
3. Reversible Encryption:
Always disable Store Passwords Using Reversible Encryption. Storing
passwords this way is a security risk equivalent to having passwords stored in
plain text.
4. Account Lockout:
Account lockouts protect against brute force attacks. However, setting the
lockout duration too long or the threshold too low could inconvenience users, so
strike a balance between security and usability.

Password and Account Lockout Policy Page 3 of 4

Important Considerations:

 Password Policies Apply to Computer Objects:

Password settings in Group Policy apply to computer objects, which include
the user accounts residing on those computers. This means the policies will
impact all user accounts on the domain unless specific exceptions (e.g., service
accounts) are handled separately.
 Different Password Policies for Different Account Types:
Service accounts, domain administrators, and other special accounts may
require different password policies. This scenario would need to be addressed
with Fine-Grained Password Policies, which can be applied directly to users
or groups.

Conclusion:

By following these steps, you have enforced secure password policies and account
lockout measures in your domain. This setup ensures that users cannot use weak
passwords, must reset passwords regularly, and are locked out after a set number of
failed login attempts. These measures strengthen domain security and protect against
unauthorized access.

Password and Account Lockout Policy Page 4 of 4

 Deploying Fine-Grained Password Policy (PSO)

Fine-Grained Password Policies (PSO) allow administrators to apply different

password and account lockout policies to specific users or groups, instead of applying a
single domain-wide policy. This documentation outlines how to create and apply a PSO
to a security group in Active Directory using ADUC (Active Directory Users and
Computers) and ADSI Edit, and how to verify its application using PowerShell.

Step 1: Create a Security Group for the PSO

1. Open Active Directory Users and Computers (ADUC):

o In Server Manager, go to Tools and select Active Directory Users
and Computers.
2. Create a New Security Group:
o Expand kibria.local > TestOU > Domain Groups.
o Right-click Domain Groups > New > Group.
o Set the following options:
 Group Name: 7 Day Password Age
 Group Scope: Global
 Group Type: Security
o Click OK.
3. Add Members to the Group:
o Double-click on the newly created group 7 Day Password Age.
o Go to the Members tab > Click Add.
o Enter the user Kibria > Click Check Names > Click OK.
o Click Apply > OK.

Step 2: Create the Fine-Grained Password Policy (PSO)

1. Open ADSI Edit:

o In Server Manager, go to Tools and select ADSI Edit.
2. Connect to Default Naming Context:
o Right-click ADSI Edit > Connect to > Click OK to connect to the
Default Naming Context.
3. Navigate to the Password Settings Container:

Fine-Grained Password Policy Page 1 of 4

 o Expand DC=kibria, DC=local > CN=System > Password Settings
Container.
4. Create a New PSO:
o Right-click on the white space under Password Settings Container >
New > Object.
o In the wizard, select msDS-PasswordSettings and click Next.
5. Configure the PSO Settings:
o Name: 7DayPasswordAge
o Click Next after each setting and apply the following values:
 Precedence: 1 (Lower numbers take precedence over other
PSOs)
 Reversible Encryption Required: FALSE
 Password History Length: 24 (Number of previous passwords
that cannot be reused)
 Password Complexity Enabled: TRUE
 Minimum Password Length: 14 (Set to 14 characters)
 Minimum Password Age: 00:00:00:00 (Allow immediate
password reset)
 Maximum Password Age: 07:00:00:00 (Set password
expiration to 7 days)
 Lockout Threshold: 3 (Locks account after 3 failed attempts)
 Lockout Duration: 00:00:15:00 (Locks the account for 15
minutes)
 Reset Lockout Counter After: 00:00:15:00 (Counter resets
after 15 minutes)
6. Finish the PSO Creation:
o After configuring all settings, click Finish to create the PSO.

Step 3: Apply the PSO to the Security Group

1. Assign PSO to the Security Group:

o In ADSI Edit, right-click the newly created PSO 7DayPasswordAge
under the Password Settings Container.
o Select Properties.
o Scroll down to find msDS-PSOAppliesTo (this may say <not set>).
o Click Edit > Add Windows Account.
o Type 7 Day Password Age > Check Names > OK > Apply > OK.

Fine-Grained Password Policy Page 2 of 4

 2. Verify Group Membership in ADUC:
o Go back to ADUC and navigate to kibria.local > TestOU > Domain
Groups.
o Double-click 7 Day Password Age.
o Go to the Members tab and verify the group members are correctly
added.

Step 4: Verify the Password Expiration Using PowerShell

1. Open PowerShell:
o Launch PowerShell with administrative privileges.
2. Import Active Directory Module:
o Run the following command to import the Active Directory module:

powershell
Copy code
Import-Module ActiveDirectory

3. Check Password Expiration Date:

o Run the following command to check the password expiration date for a
user:

Get-ADUser -filter {GivenName -like "Paul"} -Properties

"givenName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "DisplayName",
@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($
_."msDS-UserPasswordExpiryTimeComputed")}}

o This command will display the password expiration date for the user
Paul.

Notes and Best Practices:

1. Purpose of a Fine-Grained Password Policy (PSO):

o PSOs allow you to define password and account lockout policies on a
per-user or per-security group basis. This differs from Group Policy,
which applies password policies to computer objects.
2. Precedence of PSOs:

Fine-Grained Password Policy Page 3 of 4

 o The Precedence value determines which PSO takes effect if a user or
group is subject to multiple PSOs. The PSO with the lowest Precedence
(closest to 1) will override others.
3. Testing PSO Application:
o You can wait for 7 days to see if the password expires for users in the 7
Day Password Age group, or you can modify the PSO to expire after a
shorter time for testing purposes.
4. Verification:
o Use the PowerShell script to verify if the password expiration date is
correctly set according to the PSO.

Conclusion:

By following this guide, you have successfully deployed a Fine-Grained Password

Policy (PSO) in Active Directory and applied it to a security group. This allows you to
enforce different password policies for specific groups of users, enhancing security and
flexibility in your domain. The use of PowerShell helps in verifying that the PSO is
functioning correctly.

¯ \_(ツ)_/¯

Fine-Grained Password Policy Page 4 of 4

 Configuring Windows Firewall with Group Policy

This guide outlines the steps to configure Windows Firewall rules using Group Policy.
You will create a new Group Policy Object (GPO) to define an inbound rule for a
specific port and then apply the policy to domain computers. Finally, you will verify
the policy application using gpupdate and rsop.msc (Resultant Set of Policy).

Step 1: Create a Group Policy Object (GPO) for Windows Firewall

1. Open Group Policy Management:

o In Server Manager, click Tools and select Group Policy Management.
2. Navigate to Domain Computers:
o In the Group Policy Management window, expand Forest > Domains
> kibria.local > TestGPO > Domain Computers.
3. Create a New GPO:
o Right-click Domain Computers > Select Create a GPO in this
domain and link it here.
o Set the Name of the new GPO to test1234firewall.
o Click OK.

Step 2: Edit the Firewall Rule in the GPO

1. Edit the GPO:

o Right-click on the newly created GPO test1234firewall > Click Edit.
2. Configure Windows Firewall Rule:
o In the Group Policy Management Editor, navigate to:

Computer Configuration > Policies > Windows Settings >

Security Settings > Windows Firewall with Advanced
Security

3. Create a New Inbound Rule:

o Right-click Inbound Rules > Click New Rule.
4. Select Rule Type (Port):
o In the New Inbound Rule Wizard, select Port > Click Next.
5. Specify Port and Protocol:
o In the Specific local ports field, enter 1234.

Firewall with Group Policy Page 1 of 3

 o Select TCP as the protocol.
o Click Next.
6. Action to Allow the Connection:
o Select Allow the connection.
o Click Next.
7. Apply to Profiles:
o Check all three profiles: Domain, Private, and Public.
o Click Next.
8. Name the Rule:
o In the Name field, enter test1234.
o Click Finish.

Step 3: Apply the GPO and Verify

1. Log in to a Domain User Account (Paul Hill):

o Log in to the domain account Paul Hill.
2. Update Group Policies:
o Open Command Prompt.
o Run the following command to force a Group Policy update:

gpupdate /force

3. Verify Policy Application Using rsop.msc:

o After the policy update, press Windows Key + R and type rsop.msc
(Resultant Set of Policy) to launch the tool.
o In the rsop.msc window, expand Computer Configuration >
Administrative Templates.
o Look for Extra Registry Settings.
o Here, you should see the rule you created, named test1234.

Firewall with Group Policy Page 2 of 3

Notes and Best Practices:

1. Purpose of the GPO:

o This GPO configures a Windows Firewall inbound rule that allows
traffic on port 1234 using the TCP protocol.
2. Firewall Profiles:
o The rule is applied to all three firewall profiles: Domain, Private, and
Public. This ensures the rule works across all network environments.
3. Verifying Policies:
o The gpupdate /force command ensures that the new GPO is applied
immediately. You can verify the results using rsop.msc, which shows
the applied Group Policy settings.

Conclusion:

By following this guide, you have successfully created and applied a Windows Firewall
inbound rule using Group Policy. This allows you to manage firewall settings centrally
across domain computers. The rule was verified using both gpupdate /force and the
rsop.msc tool to ensure it is correctly applied.

¯ \_(ツ)_/¯

Firewall with Group Policy Page 3 of 3

 Configuring Windows Registry Settings with Group Policy

This guide explains how to configure a Windows registry setting using Group Policy to
allow users to right-click on any file in File Explorer and open it with Notepad. This
can be useful for quickly viewing or editing non-text files such as images or DLLs.
However, be cautious when editing the registry, as improper changes may cause system
instability.

Step 1: Create a Group Policy Object (GPO)

1. Open Group Policy Management:

o In Server Manager, click Tools > Select Group Policy Management.
2. Create a New GPO:
o In the Group Policy Management window, navigate to your domain by
expanding Forest > Domains > kibria.local.
o Right-click on kibria.local and select Create a GPO in this domain,
and link it here.
o Name the new GPO regsettings.
o Click OK.

Step 2: Edit the Registry Settings in the GPO

1. Edit the GPO:

o Right-click on the newly created GPO regsettings > Select Edit.
2. Navigate to the Registry Configuration:
o In the Group Policy Management Editor, go to:

Computer Configuration > Preferences > Windows Settings >

Registry

3. Create a New Registry Item:

o Right-click in the white space in the right pane > Select New >
Registry Item.
4. Configure the Registry Item:
o In the New Registry Properties window, fill out the following fields:
 Action: Select Create.
 Hive: Select HKEY_CLASSES_ROOT.

Registry Settings Page 1 of 3

  Key Path: Enter *\shell\open with notepad\command.
 Value Name: Leave Default checked.
 Value Type: Select REG_SZ.
 Value Data: Enter notepad.exe %1.
5. Apply the Registry Settings:
o Click Apply and then OK to save the settings.

Step 3: Apply and Verify the Group Policy

1. Force Group Policy Update:

o Open Command Prompt.
o Run the following command to apply the new Group Policy
immediately: gpupdate /force
2. Verify the Registry Change:
o After updating the policy, right-click any file in File Explorer (such as a
JPG, ZIP, or DLL file).
o You should now see an option Open with Notepad.
o Selecting this option will open the file in Notepad.

Notes and Best Practices:

1. Purpose of the Registry Setting:

o This setting allows users to right-click on any file, regardless of file type,
and open it with Notepad. This is useful for quickly inspecting files that
are not typically opened with Notepad.
2. Editing the Windows Registry:
o Be cautious when editing the Windows registry, as incorrect changes
can cause system problems. Always test registry changes in a controlled
environment before applying them to a production environment.
3. Understanding %1:
o The %1 in the registry value represents the file path of the item being
clicked. When a user selects Open with Notepad, %1 passes the file's
path to Notepad, allowing it to open the file.

Registry Settings Page 2 of 3

Conclusion:

By following this guide, you have successfully created and deployed a Group Policy
Object (GPO) to modify the Windows registry. This GPO adds a useful option to right-
click any file in File Explorer and open it with Notepad. As always, ensure you
understand the implications of registry edits before applying them widely in a
production environment.

¯ \_(ツ)_/¯

Registry Settings Page 3 of 3

 Enforcing Windows Hello for Business PIN Authentication

In Windows Server environments, enforcing a PIN as a mandatory authentication

method instead of a password for user login is not directly achievable through
traditional Group Policy settings. However, you can configure Windows Hello for
Business, which allows users to use PINs and biometric authentication, and you can
enforce these settings via Group Policy.

Here’s how you can set up and enforce Windows Hello for Business in your Windows
Server environment:

Objective: Configure and enforce Windows Hello for Business to allow users to log in
with a PIN instead of a traditional password.

Step 1: Configure Windows Hello for Business Policies

1. Open Group Policy Management:

o In Server Manager, click Tools > Select Group Policy Management.
2. Create a New GPO:
o In the Group Policy Management window, navigate to your domain by
expanding Forest > Domains > kibria.local.
o Right-click on kibria.local and select Create a GPO in this domain,
and link it here.
o Name the new GPO WindowsHelloForBusiness.
o Click OK.
3. Edit the GPO:
o Right-click on the newly created GPO WindowsHelloForBusiness >
Select Edit.
4. Navigate to Windows Hello for Business Settings:
o In the Group Policy Management Editor, go to:

Computer Configuration > Policies > Administrative

Templates > Windows Components > Windows Hello for
Business

5. Configure Windows Hello for Business:

PIN Authentication Page 1 of 3

 o Enable Windows Hello for Business: Double-click on Use Windows
Hello for Business and set it to Enabled. Click OK.
o Configure PIN Complexity: Double-click on Configure PIN
complexity and configure the settings to meet your security
requirements, such as PIN length and complexity. Click OK.
6. Additional Configurations:
o You can configure additional settings such as Enable Enhanced PINs
and Use biometric authentication based on your organizational
requirements.

Step 2: Enforce PIN Sign-In Policy

1. Navigate to Sign-In Options Policy:

o In the Group Policy Management Editor, go to:

Computer Configuration > Policies > Administrative

Templates > System > Logon

2. Enforce Sign-In Options:

o Turn on PIN sign-in: Double-click on Turn on PIN sign-in and set it
to Enabled. Click OK.
3. Disable Password Authentication:
o Unfortunately, directly disabling traditional password authentication via
Group Policy is not supported. However, you can educate users and
implement password policy settings that encourage PIN usage.

Step 3: Apply and Test the Group Policy

1. Apply the GPO:

o Ensure the GPO is linked to the appropriate Organizational Unit (OU)
containing user accounts or computers where you want the policy
applied.
2. Force Group Policy Update:
o On a client machine, open Command Prompt and run the following
command to force the policy update: gpupdate /force
3. Verify Policy Application:

PIN Authentication Page 2 of 3

 o On a client machine, navigate to Settings > Accounts > Sign-in options.
Ensure that Windows Hello PIN options are available and configured
according to your policy.
4. Test PIN Authentication:
o Sign out of the machine and try to sign in using the PIN you configured.
Verify that the PIN sign-in works as expected.

Notes and Best Practices:

1. Windows Hello for Business:

o Windows Hello for Business is designed to replace passwords with more
secure authentication methods like PINs and biometrics.
2. Testing:
o Test the configuration in a lab environment before deploying it to
production. Ensure users are trained and understand the new sign-in
method.
3. Security Considerations:
o While PINs are more secure than passwords in many cases, ensure you
configure PIN complexity settings to meet your organization’s security
standards.
4. User Experience:
o Communicate changes to users and provide training or support to help
them transition smoothly to using PINs for authentication.

Conclusion:

By following these steps, you can configure Windows Hello for Business to enforce the
use of PINs for user authentication in your Windows Server environment. This setup
enhances security by utilizing modern authentication methods and reduces reliance on
traditional passwords.

¯\_(ツ)_/¯

PIN Authentication Page 3 of 3

 Setting Different Wallpapers for Desktop Lock Screen Using
Group Policy

Objective: Configure separate wallpapers for the lock screen on user PCs within an
Active Directory environment. First create a share folder that contain the background
image, you already learned it.

1. Open Group Policy Management:

1. Access Group Policy Management:

o Open Server Manager.
o Navigate to Tools > Group Policy Management.

2. Create and Edit a New GPO:

1. Create a New GPO:

o In Group Policy Management, right-click on the appropriate domain or
Organizational Unit (OU) where you want to apply the policy.
o Select Create a GPO in this domain, and Link it here….
o Name the GPO, e.g., Lock Screen Wallpaper Policy, and click OK.
2. Edit the New GPO:
o Right-click on the newly created GPO and select Edit.

2. Configure the Lock Screen Wallpaper:

1. Navigate to Lock Screen Settings:

o In the Group Policy Management Editor, go to:

Computer Configuration > Policies > Administrative

Templates > Control Panel > Personalization

2. Set the Lock Screen Wallpaper:

o Double-click Force a specific default lock screen image.
o Set the path to the lock screen wallpaper image.
o Click OK to apply the settings.

Lock Screen Wallpaper Page 1 of 2

3. Apply the GPO:

1. Link the GPO:

o Ensure the GPO is linked to the appropriate OU or domain where user
accounts are located.
2. Update Group Policy on User PCs:
o On the user PCs, run the following command to force an update of the
Group Policy: gpupdate /force

4. Verification:

1. Verify Wallpaper Settings:

o Log in to a user account on a PC where the GPO is applied.
o Check the desktop wallpaper to ensure it is set as configured.
o Lock the PC (Windows key + L) and verify that the lock screen
wallpaper is set correctly.

Notes:

 File Paths: Ensure that the file paths for both wallpapers are accessible to all
users. You may need to use a UNC path if the images are stored on a network
share.
 Image Formats: The images should be in a format supported by Windows (e.g.,
JPEG, PNG).
 Permissions: Ensure that users have appropriate permissions to read the
wallpaper files from the network share or local path.
 Testing: Always test the GPO in a controlled environment before rolling it out
to all users to ensure that the settings apply as expected.

By following these steps, you can set different wallpapers for the desktop and lock
screen for users within your Active Directory environment.

¯ \_(ツ)_/¯

Lock Screen Wallpaper Page 2 of 2

 Creating an Active Directory (AD) System State Backup

This step-by-step guide will walk you through creating a System State Backup in an
Active Directory environment using Windows Server Backup.

Prerequisites

 You need to have Administrator rights on the Windows Server.

 Ensure you have sufficient disk space to store the backup file.
 Create a shared folder where the backup will be stored.

Step-by-Step Guide:

Step 1: Install Windows Server Backup Feature

1. Open Server Manager:

o Click on the Start Menu and open Server Manager.
2. Add Roles and Features:
o In Server Manager, click on Manage in the top-right corner, then click
Add Roles and Features.
3. Next through the following screens:
o Before You Begin: Click Next.
o Installation Type: Select Role-based or feature-based installation,
then click Next.
o Server Selection: Select your server from the list, then click Next.
4. Features Tab:
o In the Features tab, scroll down and check Windows Server Backup.
o Click Next, and then click Install to install the Windows Server Backup
feature.

Step 2: Create a Backup Folder

1. Create a Folder:
o Go to your C: Drive or any other preferred location.
o Create a new folder called Backup.
2. Share the Backup Folder:
o Right-click the Backup folder and select Properties.
o Go to the Sharing tab and click Advanced Sharing.

AD System State Backup Page 1 of 3

 o Check Share this folder, then click Permissions.
o Set appropriate permissions (ensure at least Read/Write access for
Administrators), then click OK.
o Click Apply and OK to finish sharing the folder.
o The folder will now be accessible as a network share.

Step 3: Perform a System State Backup

1. Open Windows Server Backup:

o In the Start Menu, search for and open Windows Server Backup.
(tools > windows server backup)
2. Start the Backup Process:
o In Windows Server Backup, right-click Local Backup from the left-
hand pane and select Backup Once.
3. Select Backup Options:
o On the Backup Options screen, choose Different options and click
Next.
4. Select Backup Configuration:
o Choose Custom for backup configuration, and click Next.
5. Add Items for Backup:
o Click Add Items, and select System State, then click OK.
o After this, click Next.
6. Choose Backup Destination:
o On the Specify Destination Type screen, choose Remote shared folder,
and click Next.
7. Set Backup Location:
o In the Remote Folder Path, type the network path where the shared
folder is located (e.g., \\SADC01\Backup).
o Click Next to proceed.
8. Access Control:
o Choose Inherit to allow backup inheritance for file permissions, then
click Next.
9. Perform the Backup:
o Review your settings and click Backup to start the process.
o Wait for the backup to complete. This might take some time depending
on the size of the system state.

AD System State Backup Page 2 of 3

Step 4: Verify the Backup

1. Access the Shared Folder:

o Once the backup is complete, go to File Explorer and navigate to the
shared folder you created (\\SADC01\Backup).
o You should see the backup files stored in this folder.

Additional Notes:

 Scheduled Backups: In a production environment, it is highly recommended to

set up scheduled backups to ensure regular system state backups. To set up a
scheduled backup, choose the Backup Schedule option in Windows Server
Backup.
 Restoration: In the event of an issue, you can use these backup files to restore
the Active Directory system state.

This documentation should help you set up and configure a System State Backup for an
Active Directory environment.

¯ \_(ツ)_/¯

AD System State Backup Page 3 of 3

 Restoring an Active Directory (AD) Organizational Unit Using
System State Backup

This guide will walk you through the process of deleting an Organizational Unit (OU)
in Active Directory and then restoring it using a System State Backup. This method
helps recover lost AD objects like users, groups, or computers if accidental deletion
occurs.

Prerequisites

 Windows Server Backup must already be installed, and a recent System State
Backup should be available. (See the previous documentatino for more details
on how to create a backup).
 Administrative access to the server.
 A good understanding of the impact of deleting OUs.

Step-by-Step Guide

Part 1: Deleting an Organizational Unit in Active Directory

1. Open Active Directory Users and Computers (ADUC):

o Press Start, search for Active Directory Users and Computers, and
open it.
2. Enable Advanced Features:
o In ADUC, click on View in the top menu and check Advanced
Features. This enables you to modify object settings that are normally
hidden.
3. Remove Accidental Deletion Protection:
o Navigate to the OU you want to delete.
o Right-click the OU, select Properties, and go to the Object tab.
o Uncheck Protect object from accidental deletion and click OK.
o Repeat this for any sub-OUs if applicable.
4. Delete the Organizational Unit:
o Right-click the OU you want to delete and select Delete.
o Confirm the deletion, and if prompted, select Use Subtree Server
Control to remove everything inside the OU.

Restoring System State Backup Page 1 of 4

Note: This action deletes all objects (users, computers, groups, etc.) within the OU.
This might cause login issues for users, so ensure you have a backup before proceeding.

Part 2: Restoring the Deleted Organizational Unit Using System State Backup

Step 1: Boot into Directory Services Restore Mode (DSRM)

1. Reboot the Server:

o You have two options to boot into Directory Services Restore Mode
(DSRM):
 Option 1: Using F8 Key:
 Restart the server and press F8 repeatedly during startup
to open the Advanced Boot Options.
 Select Directory Services Restore Mode and press
Enter.
 Option 2: Using System Configuration (msconfig):
 Press Start, type msconfig, and press Enter.
 Go to the Boot tab, check Safe Boot, select Active
Directory repair, and click OK.
 Click Restart when prompted to reboot into DSRM.
2. Log into DSRM:
o At the login screen, you must log in using the local Administrator
account.
o Enter .\Administrator and your local admin password (not your
domain admin credentials).

Step 2: Restore the System State Backup

1. Open Command Prompt:

o Press Start, go to Windows System, and select Command Prompt.
2. List Available Backups:
o In Command Prompt, type the following to list available backups:

wbadmin get versions

o Wait for a list of backups to appear. Look for the version identifier of
the backup you want to restore (e.g., March 31, 2024).

Restoring System State Backup Page 2 of 4

 3. Start the System State Recovery:
o Use the following command to start the system state recovery:

wbadmin start systemstaterecovery -version:<version-

identifier> -authsysvol

Replace <version-identifier> with the backup version you selected.

The -authsysvol option ensures that the SYSVOL folder on this server
becomes authoritative if multiple domain controllers exist.

4. Confirm the Recovery:

o When prompted, press Y (Yes) to start the recovery.
o You may receive warnings about losing network connectivity and
replication issues. Press Y to confirm and continue.
o The recovery process will take some time, depending on the size of your
Active Directory.

Step 3: Restart the Server

1. Completion of System State Recovery:

o Once the recovery is complete, the Command Prompt will display a
message that the recovery finished successfully. You will also see log
entries under Windows Logs > Windows Server Backup.
2. Undo Safe Boot (if you used msconfig):
o If you used msconfig to boot into DSRM, open msconfig again, go to
the Boot tab, uncheck Safe Boot, and click OK.
3. Restart the Server:
o Reboot the server to apply the changes and return to normal operating
mode.

Part 3: Verify the Restoration

1. Log into the Server:

o After the server restarts, log in using your domain administrator
account.
2. Check Active Directory:
o Open Active Directory Users and Computers.

Restoring System State Backup Page 3 of 4

 o Expand the domain structure and check if the deleted OU and its
objects (users, computers, etc.) have been restored.

Important Notes:

 Scheduled Backups: Always schedule regular backups of your AD system

state to avoid potential loss of critical data.
 Network Considerations: If the AD infrastructure spans multiple sites or
domain controllers, replication might take time, and heavy network traffic can
be expected after the restoration.
 Test Environment: Always test backup and recovery processes in a lab
environment before applying them in production.

This concludes the documentation for restoring an OU using System State Backup in
Active Directory. If further issues arise, please consult your network administrator or
support team.

¯ \_(ツ)_/¯

Restoring System State Backup Page 4 of 4