In todays lab I will take a look at some basic functions of Windows Active Directory on my home lab server. Well be doing some basic work to simulate a real office environment, including adding new users into groups, creating a shared folder for file storage, and implementing some group policy restrictions to secure our devices. This lab will use my previous setup of active directory on my virtual machines, and ill provide a link to my setup guide below if you’d like to try this lab or something similar at home. Lets get started!

Setup Guide: Windows Server & Active Directory Home Lab

Adding new Users, Creating Organizational Units

Well begin todays project by creating some new users and organizational units for the members of the office. To do this well need to open the Windows Server Virtual Machine and open up the manage AD Users and Computers application.

Organizational Units are containers used to organize users, groups and computers. Some organizations may use Groups as opposed to OUs, and this can be beneficial in certain circumstances. Groups in AD are used to manage permissions and access rights for certain pools of users. Both can be very useful and help keep your AD userbase organized and efficient.

For this lab environment we will use Organization Units as there is some other projects where this will align with. To create the organization units, well open up the Homelab.local location in users and groups, and then right click, Find the NEW option, and then select Organizational Unit.

For my lab, I created 3 separate OUs for IT, HR, and Sales teams. Inside each OU folder, I’ve made a separate OU Specifically for User profiles. Please note, every user needs basic information such as name, email, and password. For my lab I’ve used generic names and the names of some of my favorite artists, and made note of passwords used for later use. After this setup was completed, I made 3 Users in both the Sales teams and HR teams, giving myself a roster of users to manage on my domain.

We now have 6 new users on our domain, along with the original user account I made for myself in the previous setup lab. Now we can begin implementing some advanced features for our Users!

Creating a Shared Folder

A shared folder is a directory containing files that are accessible to users in a network or domain. Shared folders are crucial for a lot of office environments as multiple users will need access to the same files. Lets implement a shared folder on our Windows Server AD Home lab!

To create a shared folder, well first open up our Windows Server VM and open up the file explorer. Next we can create our file folder just like you normally would on a desktop. For this lab, Ill add a folder that the Sales team can use for documenting sales numbers. I created a folder on the C: drive of the server, and inside placed a blank text document for the sales team.

Next we need to make the folder a shared folder so my Sales agents can access the files from their desktops. To do this, we can right click on the file folder, and click properties. Now navigate to the Share… feature, and then well open the Network Access window. This is where well add the users or groups that can access the shared folder. For my lab, we can add in each user in the sales team, however if you were using a group as opposed to an OU, you could simply add the group. I typed in the names of all fictitious Sales employees and added them in, and ensured that the permission level for each was read/write. This way, sales employees can access and edit the sales records from their desktop devices.

After this, an important step is checking our Network Discovery and File sharing settings, as these can prevent our shared folder from being accessible on the domain. To do this we can open control panel on the server, and navigate to the Network and Sharing center. Click on Advanced sharing settings, and then we should see some options. We need to ensure that Network Discovery & File Sharing are enabled for private or domain networks. Save the changes and now our shared folder is ready for access! Note, sometimes these options may need to be enabled on the desktop as well, and the instructions are the same for the desktop.

Another important step is ensuring SMB is installed and added to our server. To do this, we can open up the Server Manager application, and navigate to the manage tab. Select Add roles and features, and click continue until the features page is reached. On this page, scroll down and find SMB 1.0, select the option, and hit next. After installing the server may restart, but not our files can be shared in our network without issue.

To test this shared folder, we can open the Windows Desktop VM and login to the device as a Sales employee. Next well need to access our shared folder. Open the file explorer, and navigate to the Network tab. This tab should be completely empty, so now we can add in our shared folder. To do this, we click on the address bar in file explorer and type in the network address of our shared folder. The address can be either the server name or IP address, followed by the name of the folder. (EX: //192.168.1.1/SalesDept, replace the IP Address and Shared folder name with your own). After typing in the correct network address we should have access to the folder and the text file!

In these photos you can see I’m able to access the folder and file while logged in as a Sales member.

Group Policy Restrictions

Next well be adding in some Group policy restrictions to our AD lab environment. Group policy restrictions are a great way to restrict certain features and requirements for specific groups of users on a domain. In our example today, well be disabling access to USB Drives from the HR team so that no malicious files can be used against them. To add in a group policy restriction, well begin by opening up our Windows Server VM and opening the Group Policy Management application.

Next, we can navigate to the OU or Group we want to add the restriction to. In this case, we will find the Users OU for HR members, and right click and add a new Group Policy, select a name and save. Now we can right click and edit our new group policy. To restrict USB access for our users, navigate to the following location: User Configuration -> Policies -> Administrative Templates -> System -> Removable Storage. You should see something similar to the picture below. Now we can find a few polices and enable them. In my lab I enabled the following: “Removable Disks: Deny execute access” , “Removable Disks: Deny read access” and “Removable Disks: Deny write access”. Save the configuration and continue.

Next we can force our group policies to be updated through the command line, just to be sure our users will have the correct permissions during their next logon. To do this, on the windows server VM open the command prompt and run the command: gpupdate /force . This will force the Group Policies for the users to be updated.

Finally, we can test our group policy by attempting to access a USB Drive on our Desktop VM. First, I logged in as a HR member of my domain and inserted a USB Drive. When we attempt to open the drive, we should immediately be prompted with an error message, noting we do not have the permissions to access this removable media.

When logged in as another user, however, these restrictions may not apply! To test our policy further we can login to the desktop as a Sales member, and attempt to open the same USB drive. Now we can see we have no issues reading, writing and executing data that is on the USB drive. Amazing! Our group policy is working just as intended, keeping our devices safe while still allowing work to be done.

Summary

This lab was a lot of fun and presented some interesting challenges, and was really helpful to further my understanding and working knowledge of Active Directory and Windows Server basic actions. I had a lot of fun setting up realistic environment where I made changes to mimic real world needs, and it gave me great practice working with some apps and features I hadn’t yet explored in my initial setup guide. If you have any questions about this lab or my other guides, feel free to leave a comment below or reach out to me personally via my contact information. Thank you for reading!