In this lab we will explore the use of different kinds of account for managing objects in Active Directory and the use of GPO to apply account policies.
we will need the following virtual machines: Windows 2016-DC turned on and the rest of them when prompted Windows 2016-MS, Windows 10-WS, Windows 7-WS and RT-LAN turned on.
Exercise 1 – Observing Service Accounts
Lets open a connection to windows 2016 DC and install the following program
Close the Process Explorer now.
Exercise 2 – Browsing Default Active Directory Groups and Users
Now we will observe some of the accounts created by default in AD of Windows 2016 DC server.
In the “Active Directory Users and Computers” console, we went into classroom.local and had a look in bulitin folder. This folder contains default security groups specific to managing Domain Controllers.
After that we expanded Users folder which contains security groups and user accounts. These default groups and users are for access and management of other domain computers.
then we had a look on Domain Admin group when into properties > Members of the group and found that “Administrators” were locally scoped account from the “Builtin” folder.
Exercise 3 – Securing the Administrative Accounts
Now we will implement some Microsoft best practices for securing administrative accounts and learn
how not-such-best-practice can compromise organizational security.
I have opened CMD and wrote command “whoami /user” to view the SID of the current domain user – the format of SIDs can reveal a lot about the type of account. In the image below, it shows the Security ID (SID) of the current domain user. Note the “-500” suffix.
After that we had a look into Active Directory Users and Computers right clicked into the Administrator account and select Properties > Members Of tab to note the members.
Then General Tab again and we will delete the text of description field and enter “Andy” as first name and “Smith” as last name. Then rename Administrator to Andy.
then I logged off and Singed back in as classroom\Andy with same password. After that i went into Active Directory Users and Computer and went into Users container, created a new Organizational Unit in the name box we will name it “UsersOU” and creating another Organizational Unit naming it “AdminOU” and then from Users group we moved Domain Users, Sales, Sam, Viral to “UsersOU”.
Also moving Andy, Bobby, Domain Admins, LocalAdmin accounts from Users to AdminOU
then inside AdminOU we created a new Administrator account after that we opened CMD and ran “whoami /user” command it showed Andy as the user and still -500 suffix at the end which might mean Administrator. Then we ran the following command to get sid for Administrator account (which doesn’t have admin privileges)
later on i found out that The format of SIDs represents the type of an account. So next I Delegated control of the UsersOU for the Regular account ‘Sam’.
Exercise 4 – Investigating Group Policy
Continuing in WIN2016-DC we will go into Group Policy Management expanding Forest > Domains >
classroom.local > ComputersOU container then in Local Admin Policy we went into settings tab and Added the page to the browser’s Trusted Sites zone.
After that we will create a GPO in this domain naming Audit Policy. Then editing the policy and configuring inside making “Audit: Force audit policy subcategory settings.” Enable.
Also, after that going into Advanced Audit Policy Configuration under Security Settings in GPM Editor; editing Audit File System setting checking on Success & Failure boxes.
then I went into Group Policy Modeling Wizard by right clicking on Group Policy Modeling. and following the steps.
Then Skip to the final page and click Finish. After that going into Details tab and making sure the audit policy is applied under Computer Details > Settings > Policies.
switching back to Active Directory Users and Computers, add a new user group inside AdminOU called “sec-glo-priv”
Then going into Active Directory Administration Center to specific password requirements for users in AdminOU and specifically for “sec-glo-priv” group which we just created.
Exercise 5- Configuring Users and Groups
In this exercise, we will use the new permissions that we allocated to Sam’s account to configure user and group accounts and explore some of the restrictions imposed by avoiding the user of an “all-powerful” Administrator account.
Now we can start WIN2016-MS, WIN10-WS, and WIN07-WS VMs.
Logging into WIN10-WS VM as SAM. and then we will navigate into Computer Management > Expanding Local Users and Groups > Select Users container
This shows user accounts local to the computer only. These accounts cannot be used to access domain resources.
Now going into the group container > Administrator (Properties). Now to test the permissions we have on the local machine, we will try to add Sam.
Q. In the “Administrators Properties” dialog, click the Apply button – does it work?
No, it didn’t work gave error: Access is denied.
After this we went into Device Manager and Disk Management to acknowledge the warnings.
we are getting these errors because This user account does not have local administrator privileges / rights to perform the actions.
Now we will try to connect another computer WIN2016-DC.
Q. Can you access any of the snap-ins?
No, i can’t unfortunately.
The lab mentions using RSAT (Remote Server Administration) because it allows a user with appropriate privileges to configure domain properties and remote server services without logging on the local server or DC.
Clearly the Sam account cannot manage the DC
server itself, but we only need it to be able to manage accounts in the UsersOU container.
We will try to add a new user “Jo” into UsersOU through Active Directory Users and Computers through WIN10-WS.
And now we will modify few containers, in UsersOU we will modify Sales object > sec-glo-sales. Making sure that the group is globally scoped and accounts and Sam and Viral members are still present.
Now we will add “sec-dlc-share-sales-change.” and “sec-dlc-share-sales-read.” groups in UsersOU then we will add “sec-dlc-sharesales-change” in “sec-glo-sales” group.
then we will go into sec-dlc-shares-sales-read object’s > Properties > Members tab > Add (Domain Users)
Now we will go in AdminOU container and try add some members in Domain Admins object but Add button is disabled.
It basically reflects that still the standard user has restricted access to change few settings as being standard user.
Exercise 6 – Configuring a File Share
In this excersise, we will use an account that has been granted local administrator privileges over all the VMs
except the DC to configure a file share.
Loggin back in WIN2016-MS as classroom\Bobby
We will go into c: drive and create a new folder named SALES, and changing its Advanced sharing setting. Allowing for Everyone and checking all Allow boxes.
This gives the widest possible permissions to anyone accessing the share over the network.
Now going into the Security tab > Advanced button.
Now we will remove those custom Users one by one. and Add > “sec-dlc-share-sales-change” (Enabling Modify Permission in “Permission Entry” dialog) & “sec-dlc-sharesales-read”
Going into Auditing tab > Adding Auditing Entry for Sales folder with custom permissions naming “Success” & “Fail”.
Now heading to Effective Access tab, adding Andy as user and checking Effective Access for him.
CT&A
I can see that this lab clearly wanted show that how nesting groups is making administration simpler and less
prone to error.
also, i can see that the job of administrator is quite spontaneous managing accounts, configuring separate account with all the admin privileges, managing users and groups even their permissions is crucial. I also found that creating groups and managing specific groups with certain permission makes management efficient not only passwords but File sharing too.
Imagine in IT 