Dark Mode
AD Project Snapshot

Project Write-Up

End-to-End Domain Control

Active Directory Project

Overview

This project demonstrates the deployment of a fully managed Active Directory domain in a simulated enterprise environment using Windows Server 2022 and Windows 11 Pro. The domain architecture supports centralized policy enforcement, secure authentication, network resource access, and department-based segmentation using industry best practices such as the AGDLP access control model.

Infrastructure Setup

  • Created a Windows Server 2022 domain controller in VirtualBox (hostname: dc01)
  • Configured internal networking with static IP: 10.10.10.10 / Gateway: 10.10.10.1
  • Installed and promoted AD DS, creating a new forest: test.local
  • Verified services post-promotion using dcdiag and DNS resolution tests

Client Provisioning & Domain Join

  • Created a Windows 11 Pro VM; bypassed Microsoft account setup using oobe\bypassnro
  • Manually set NIC DNS to 10.10.10.10 and joined the domain test.local
  • Tested login functionality and access to domain resources
  • Confirmed share-based access control using test user Maya Reed

Organizational Structure & Access Model

The domain is structured to reflect a mid-sized business layout with OUs for each department, user roles defined via Global Groups, and access scoped by Domain Local Groups following the AGDLP model. 

corp.local
│
├── OU: HR
│   ├── Users: HR_Users, HR_Managers
│   ├── Global Groups:
│   │   ├─ HR_Users
│   │   ├─ HR_Managers
│   │   └─ HR_GPO_Policy
│   ├── Domain Local Groups:
│   │   ├─ HR_Share_Read
│   │   └─ HR_Share_Modify
│   └── Resources:
│       └─ \\DC01\HR_Share (Read/Modify)
│
├── OU: IT
│   ├── Users: IT_Admins, IT_Helpdesk
│   ├── Global Groups:
│   │   ├─ IT_Admins
│   │   ├─ IT_Helpdesk
│   │   └─ IT_GPO_Editors
│   ├── Domain Local:
│   │   └─ IT_Servers_Access
│   └── Resources:
│       └─ \\DC01\IT_Servers (Full/Admin)
│
├── OU: Sales
│   ├── Users: Sales_Users, Sales_Managers
│   ├── Global Groups:
│   │   ├─ Sales_Users
│   │   ├─ Sales_Managers
│   │   └─ Sales_RemoteAccess
│   ├── Domain Local:
│   │   ├─ Sales_Share_Read
│   │   └─ Sales_Share_Modify
│   └── Resources:
│       └─ \\DC01\Sales_Share (Read/Modify)
│
├── OU: Accounting
│   ├── Users: Accounting_Users, Accounting_Managers
│   ├── Global Groups:
│   │   ├─ Accounting_Users
│   │   ├─ Accounting_Managers
│   │   └─ Accounting_Software_Users
│   ├── Domain Local:
│   │   ├─ Accounting_Share_Read
│   │   └─ Accounting_Share_Modify
│   └── Resources:
│       └─ \\DC01\Accounting_Share (Read/Modify)
│
└── OU: Workstations
    ├── Global Groups:
    │   ├─ Workstations_All
    │   ├─ Workstations_IT
    │   └─ Workstations_HR
    └── GPOs:
        ├─ Security Filtering by group
        └─ Wallpaper and software restrictions

Users & Group Mappings

Test users were created for each department and assigned to appropriate Global Groups:

  • HR: Maya Reed (HR_Users), Oliver Watts (HR_Managers)
  • IT: Noah Carter (IT_Admins), Aiden Flores (IT_Helpdesk)
  • Sales: Zoe Bennett (Sales_Users), Lucas Rivera (Sales_Managers)
  • Accounting: Liam Powell (Accounting_Users), Emma Hughes (Accounting_Managers)

Global Groups were nested into Domain Local Groups to grant access to resources and apply GPOs using standard AGDLP hierarchy. GPO filtering was also used for workstation-based policies based on group membership.

Organizational Structure & Security Groups

The domain includes Organizational Units (OUs) for HR, IT, Sales, Accounting, and Workstations. Global groups were used to define user roles and departmental membership, while Domain Local groups managed file shares and GPO targeting.

Example:

  • HR_Users and HR_Managers nested into HR_Share_Read and HR_Share_Modify
  • IT_Admins and IT_Helpdesk granted server-level access via IT_Servers_Access

Folder shares such as \\DC01\HR_Share were created with NTFS permissions bound strictly to Domain Local groups.

Test users were created to simulate real-world use cases. For example:

  • Maya Reed – HR_Users → Read access to HR_Share
  • Lucas Rivera – Sales_Managers → Modify access to Sales_Share
  • Noah Carter – IT_Admins → Full access to IT_Servers and delegated GPO rights

Group Policy Enforcement

A series of GPOs were created to enforce account security, drive mapping, wallpapers, and application controls:

  • Login Security: hide last signed-in user, enforce lockout after 5 failed attempts (15-minute duration)
  • Logon Message: "Authorized Access Only" displayed before login
  • Inactivity Timeout: system locks after defined idle period
  • Wallpapers: Department-specific images enforced via GPO using \\DC01\Wallpaper\ share
  • Drive Mapping: GPO Preferences used with item-level targeting to assign network drives based on group membership

Application Whitelisting

Software Restriction Policies (SRP) were implemented using the "Run only specified Windows applications" policy. Each department received a tailored whitelist; a baseline GPO allowed common system apps (e.g., Edge, File Explorer, Task Manager).

  • Accounting: Excel, Outlook, QuickBooks, Acrobat
  • Sales: Excel, PowerPoint, Chrome, Teams
  • HR: WordPad, Acrobat, Outlook, control panel tools
  • IT: cmd, PowerShell, regedit, MMC, Putty, Wireshark

Installation files for approved software were hosted on a secured internal share and distributed via GPO or manual execution by authorized users.

Certificate Auto-Enrollment

Certificate Services were deployed to issue and manage digital certificates for both users and computers. Auto-enrollment was configured via GPO to streamline certificate distribution and renewal:

  • Configured an Enterprise CA on dc01 with user and machine certificate templates
  • Enabled auto-enrollment via GPO for both Computer Configuration and User Configuration
  • Verified issuance of certificates in the personal store of domain-joined clients
  • Tested certificate-based authentication scenarios for future VPN and RDP integration

VPN Configuration

A VPN solution was implemented to simulate secure remote access to the domain environment:

  • Configured Routing and Remote Access (RRAS) on dc01 to support L2TP/IPsec VPN connections
  • Created a static IP address pool for VPN clients and enabled NAT routing
  • Tested VPN connectivity from a Windows 11 client using domain credentials
  • Verified access to domain resources and DNS resolution over the VPN tunnel

Asset Tracking & Auditing

A lightweight asset inventory system was developed to simulate enterprise-grade auditing and reporting:

  • Created a PowerShell script to collect system info, installed applications, and certificate data from each domain-joined machine
  • Scheduled the script to run as SYSTEM via GPO, storing output as XML in a hidden network share
  • Integrated the XML data into the mock AD console for interactive querying
  • Simulated PowerShell-style commands such as Get-Content -Path "AssetInventory\ComputerName" to display raw XML reports

PowerShell Simulation Console

Explore the layout and hierarchy of the mock Active Directory domain, test.local, through this interactive PowerShell-style environment. Use the cmdlets listed below to query users, computers, and navigate OUs.

  • Get-ADUser
  • Get-ADComputer
  • Get-ADGroup
  • Get-ADOrganizationalUnit
  • Get-GPO
  • Get-ADDomainController
  • Get-ADGroupMember -Identity "Group"
  • Get-Content -Path "AssetInventory \ ComputerName"

Next Steps

Future phases will include application deployment automation (MSI or script-based), secure RDP access, centralized event log forwarding, and PowerShell scripting for dynamic user provisioning and workstation enrollment. Additional layers such as WSUS, file auditing, and system monitoring are also planned.