Lab – 1

Active Directory Installation

Install Active Directory rule and promote the server to Domain Controller.

1. Click the Server Manager to open it.

Server Manager
2. Here you see the Server manager dashboard. Now go to Manage tab and click Add
Roles and Features.

Add Roles and Features Wizard

3. Just click Next in Add Roles and Features Wizard page.

Active Directory
Installation Type
4. Let the default Role based or feature base installation has selected and click Next.
Active Directory Destination Server
5. In the Select destination server page, select the server you want to install AD and
click Next.
Active Directory Server Roles
6. Now select the Active Directory Domain Services from Roles list in order to install it.
When prompt to add the required features for Active Directory Domain Services within
a new window, click Add Features.
Active Directory Domain Services
7. Now the Active Directory Domain Services has been selected and ready to install. Just
click Next.
Windows Server 2012 R2 Features
8. Leave the Windows Features page by default and click Next.
AD DS Information
9. Now, you may need to read some information about Active Director domain service. In
this page read once and click Next.
Confirm Installation of AD DS
10. In the Confirm Installation selections page click Install to begin installation of AD DS.
Active Directory Installation Progress
Be patient, the installation process will take a few minutes to complete.

#2. Promote Server to Domain Controller

1. When the AD DS installation has complete. click the Promote this server to a domain
controller.
Promote this server to a domain controller
2. The Active directory Deployment Configuration page will open.
Active Directory Deployment Configuration
3. In this window select add a new forest and type your domain name in the Root domain
name field then click Next. I have chose the domain name Technig.local.
Domain Controller Options
4. Leave the Domain Controller Options by default, just type and password for Directory
services restore mode (DRSM) password and click Next.
DNS Options
5. Ignore the delegation for DNS server warning and click Next.
Additional Options
6. On the Additional Options, system will create a NetBIOS name according to your
domain name. In this window do nothing and click Next.
Active Directory Installation Paths
7. You can change the default directories for Database folder, Log files, and SYSVOL folder,
but in test lab leave it by default and click Next.
Active Directory Review Options
8. Finally on the Review Options page once check and review all option to insure and
click Next.
Prerequisites Check
9. Once the system has checked prerequisites features for Active Directory, click Install and
ignore the DNS delegation warning again.

System will restart automatically when the installation has complete successfully.
Installed Server Roles
You will see the installed roles from Tools tab of Server Manager dashboard

Lab:2 Create Objects in Active Directory

There are many ways to open the Active Directory Users and Computers for create object.
But the simple and easy is to type dsa.msc an press enter in Windows Run. (Windows+R)
Active Directory Users and Computers
You see the Active Directory Users and Computers graphical interface. If you don’t know
how to install AD in Windows Server 2012 R2, read the step by step installation and
configuration here.

1.  Let’s create our first object Organizational Unit (OU) the container of objects in Active
Directory.

Create Organizational Unit

To create an OU, right click the domain name then New and click Organizational Unit.
Create Objects
Type the name of organizational unit and click OK to create the OU. Here I have
create Marketing Team.

You can create Organizational Unit as much as you need in your Network.

2. So try to create User object in Marketing Team. Just click the icon’s of User or right
click domain name then New and click User.
Create User in Active Directory
In the New Object User window, fill out the form with User information
like First name, Last name, and User Logon name then click Next.

Set Password for User in

Active Directory
Set a password for new user and select user must change password at next logon then
click Next.
 User Information
Just check to insure that everything is correct and click Finish.  Now you must see the user
in marketing team OU.

3. Now the last one is Creating a Group.

Create Group Object in Active Directory

Click the group icon and fill out the group form with correct information. Leave the group
scope and group type by default and click OK.

Created Objects in Active Directory

There are all created objects, OU=Marketing Team, User=Ali Sina, and Group=Marketing
Group in the Active Directory.

Lab:3

Create User Account Using PowerShell

Create User Account using PowerShell

In Windows Server run PowerShell and import Active Directory module or run Active
directory module for Windows PowerShell from Tools in Server manager dashboard.

Active
Directory Module for Windows PowerShell

Type ‘Import-Module activedirectory’ and press enter to import the AD PowerShell

module. This action will load all Active Directory commands for using in the current
PowerShell window.
Import Active Directory module

If you close the current PowerShell window, the Active Directory module will also exit and
unload from PowerShell.

Type Get-Module and press enter to insure that module loaded successfully.

Loaded modules

To see and list all active directory commands (CmdLet), just type ‘Get-Command -Module
activedirectory’ and press enter then once explore all commands.
Active Directory PowerShell Commands

We need to create User Account with New-ADUser command. Type the below command

and press enter.

PS C:\> New-ADUser -Name “Mehdi Hussaini” -GivenName Mehdi -Surname Hussaini

-SamAccountName Mehdi -UserPrincipalName Mehdi@technig.local
-AccountPassword (ConvertTo-SecureString -AsPlainText “PassW0rD” -Force )
-Enabled $true -ChangePasswordAtLogon $true

New-ADUser Command

To get help for a command type ‘Get-Help New-ADUser -full’ or –example.  The –

full option will show you by details but the –example just show some examples for
command.
To see if the user (Hehdi) has created or not, simply type ‘Get-ADUser -Identity
Mehdi’ and press enter.

Get-ADUser Command

For getting full information about a user, type ‘Get-ADUser -Identity -Properties *’ then
press enter.

That’s all, simple and easy. But it’s better to know the below Active Directory CmdLets
for managing user account also.

1. To enable an Account type: ‘Enable-ADAccount -Identity mehdi’. This will enable the

disabled user account immediately.

2. Disable an Account: ‘Disable-ADAccount -Identity Mehdi’

Disable User Account with PowerShell

3. Reset the password of an account.

PS C:\> Set-ADAccountPassword -Identity mehdi -Reset
Please enter the desired password for ‘CN=Mehdi
Hussaini,CN=Users,DC=Technig,DC=local’
Password: ********
Repeat Password: ********
PS C:\>

Modify User Account with PowerShell

4. Remove a User Account: ‘Remove-ADUser -Identity Mehdi’

Delete User Account with PowerShell

OK. Now you can create, modify, enable, disable, and delete a user account from active
directory with Windows PowerShell within Windows Servers. Hope you enjoy to create user
account using PowerShell

Group policy

1. Moderating Access to Control Panel

Setting limits on a computers’ Control Panel creates a safer business environment.

Through Control Panel, you can control all aspects of your computer. So, by

moderating who has access to the computer, you can keep data and other

resources safe. Perform the following steps:

1. In Group Policy Management Editor (opened for a user-created GPO), navigate
to “User Configuration” “Administrative Templates” “Control Panel”.
2. In the right pane, double-click “Prohibit access to Control Panel and PC settings”
policy in to open its properties.
3. Select “Enabled” from the three options.
4. Click “Apply” and “OK”.

2. Prevent Windows from Storing LAN Manager Hash

Windows generates and stores user account passwords in “hashes.” Windows

generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash)

of passwords. It stores them in the local Security Accounts Manager (SAM) database

or Active Directory.

The LM hash is weak and prone to hacking. Therefore, you should prevent Windows

from storing an LM hash of your passwords. Perform the following steps to do so:
1. In Group Policy Management Editor window (opened for a custom GPO),
go to “Computer Configuration” “Windows Settings” “Security Settings”
“Local Policies” “Security Options”.
2. In the right pane, double-click “Network security: Do not store LAN
Manager hash value on next password change” policy.
3. Select “Define this policy setting” checkbox and click “Enabled.
4. Click “Apply” and “OK”.

3. Control Access to Command Prompt

Command Prompts can be used to run commands that give high-level access to

users and evade other restrictions on the system. So, to ensure system resources’

security, it’s wise to disable Command Prompt.

After you have disabled Command Prompt and someone tries to open a command

window, the system will display a message stating that some settings are

preventing this action. Perform the following steps:

1. In the window of Group Policy Management Editor (opened for a custom
GPO), go to “User Configuration” “Windows Settings” “Policies”
“Administrative Templates” “System”.
2. In the right pane, double-click “Prevent access to the command prompt”
policy.
3. Click “Enabled” to apply the policy.
4. Click “Apply” and “OK”.

4. Disable Forced System Restarts

Forced system restarts are common. For example, you may face a situation where

you were working on your computer and Windows displays a message stating that

your system needs to restart because of a security update.

In many cases, if you fail to notice the message or take some time to respond, the

computer restarts automatically, and you lose important, unsaved work. To disable

forced restart through GPO, perform the following steps:

1. In “Group Policy Management Editor” window (opened for a custom
GPO), go to “Computer Configuration” “Administrative Templates”
“Windows Component” “Windows Update”.
2. In the right pane, double-click “No auto-restart with logged on users for
scheduled automatic updates installations” policy.
3. Click “Enabled” to enable the policy.
4. Click “Apply” and “OK”.

5. Disallow Removable Media Drives, DVDs, CDs, and

Floppy Drives
Removable media drives are very prone to infection, and they may also contain a

virus or malware. If a user plugs an infected drive to a network computer, it can

affect the entire network. Similarly, DVDs, CDs and Floppy Drives are prone to

infection.

It is therefore best to disable all these drives entirely. Perform the following steps to

do so:
1. In Group Policy Management Editor window (opened for a custom GPO),
go to “User Configuration” “Policies” “Administrative Templates” “System”
“Removable Storage Access”.
2. In the right pane, double-click “All removable storage classes: Deny all
accesses” policy
3. Click “Enabled” to enable the policy.
4. Click “Apply” and “OK”.

6. Restrict Software Installations

When you give users the freedom to install software, they may install unwanted

apps that compromise your system. System admins will usually have to routinely do

maintenance and cleaning of such systems. To be on the safe side, it’s advisable to

prevent software installations through Group Policy:

1. In Group Policy Management Editor (opened for a custom GPO), go to
“Computer Configuration” “Administrative Templates” “Windows
Component” “Windows Installer”.
2. In the right pane, double-click “Prohibit User Install” policy.
3. Click “Enabled” to enable the policy
4. Click “Apply” and “OK”.

7. Disable Guest Account

Through a Guest Account, users can get access to sensitive data. Such accounts

grant access to a Windows computer and do not require a password. Enabling this

account means anyone can misuse and abuse access to your systems.

Thankfully, these accounts are disabled by default. It’s best to check that this is the

case in your IT environment as, if this account is enabled in your domain, disabling

it will prevent people from abusing access:

1. In Group Policy Management Editor (opened for a custom GPO), go to
“Computer Configuration” “Windows Settings” “Security Settings” “Local
Policies” “Security Options”.
2. In the right pane, double-click “Accounts: Guest Account Status” policy.
3. Select “Define this policy setting” checkbox and click “Disabled”.
4. Click “Apply” and “OK”.

8. Set Minimum Password Length to Higher Limits

Set the minimum password length to higher limits. For example, for elevated

accounts, passwords should be set to at least 15 characters, and for regular

accounts at least 12 characters. Setting a lower value for minimum password length
creates unnecessary risk. The default setting is “zero” characters, so you will have to

specify a number:
1. In Group Policy Management Editor window (opened for a custom GPO),
go to “Computer Configuration” “Windows Settings” “Security Settings”
“Account Policies” “Password Policy”.
2. In the right pane, double-click “Minimum password length” policy, select
“Define this policy setting” checkbox.
3. Specify a value for the password length.
4. Click “Apply” and “OK”.

9. Set Maximum Password Age to Lower Limits

If you set the password expiration age to a lengthy period of time, users will not

have to change it very frequently, which means it’s more likely a password could get

stolen. Shorter password expiration periods are always preferred.

Windows’ default maximum password age is set to 42 days. The following

screenshot shows the policy setting used for configuring “Maximum Password Age”.

Perform the following steps:

1. In Group Policy Management Editor window (opened for a custom GPO),
go to “Computer Configuration” “Windows Settings” “Security Settings”
“Account Policies” “Password Policy”.
2. In the right pane, double-click “Maximum password age” policy.
3. Select “Define this policy setting” checkbox and specify a value.
4. Click “Apply” and “OK”.

Figure 9: Configuring maximum password age policy setting

10. Disable Anonymous SID Enumeration

Active Directory assigns a unique number to all security objects in Active Directory;

including Users, Groups and others, called Security Identifiers (SID) numbers. In

older Windows versions, users could query the SIDs to identify important users and

groups. This provision can be exploited by hackers to get unauthorized access to

data. By default, this setting is disabled, ensure that it remains that way. Perform

the following steps:

1. In Group Policy Management Editor window, go to “Computer
Configuration” “Policies” “Windows Settings” “Security Settings” “Local
Policies” “Security Options”.
2. In the right pane, double-click “Network Access: Do not allow anonymous
enumeration of SAM accounts and shares” policy setting.
3. Choose ‘Enabled’ and then click ‘Apply’ and ‘OK’ to save your settings.

If you get these Group Policy settings correct, your organization’s security will

automatically be in a better state. Please make sure to apply the modified Group

Policy Object to everyone and update the Group Policies to reflect them on all

domain controllers in your environment.