An enterprise-style on-premises Active Directory lab built using Windows Server 2022 in VMware Workstation Pro.
This project demonstrates structured Organizational Unit (OU) design, Role-Based Access Control (RBAC), Group Policy enforcement, centralized file and printer services, and validation from domain-joined client systems.
- Overview
- Prerequisites
- Architecture
- Active Directory Design
- Users and Groups (RBAC)
- File Server Configuration
- Group Policy Implementation
- Drive Mapping via GPO
- User Restriction Policy – Control Panel
- USB Security Enforcement
- Printer Deployment
- Validation and Testing
This project simulates a real-world enterprise Active Directory environment commonly managed by system administrators.
It focuses on centralized identity management, access control, security policy enforcement, and automated resource deployment using Microsoft Windows Server technologies.
The lab emphasizes practical administration skills rather than theoretical configuration.
Before setting up the lab, ensure the following software and tools are available:
- VMware Workstation Pro
- Windows Server 2022 ISO
- Windows 10 / Windows 11 ISO
- Basic networking knowledge (DNS, DHCP, IP addressing)
- PowerShell (built into Windows Server)
| VM Name | Role |
|---|---|
| DC01 | Domain Controller, DNS, Group Policy |
| FS01 | File Server, Print Server |
| CLIENT01 | Domain-joined workstation |
A structured OU hierarchy was implemented to enable scalable administration and clean Group Policy targeting.
OU Design Rationale
- Admins – Administrative user accounts
- Servers – Member servers (File / Print servers)
- Workstations – Domain-joined client systems
- CorpUsers – Standard users organized by department
- Groups – Security groups used for RBAC and policy targeting
Execute Script : AD_OU-structure
Adding users to the Organizational Units created.
Execute the Script : User_Creation
Role-Based Access Control (RBAC) was implemented by assigning permissions to security groups instead of individual users, ensuring scalability, consistency, and simplified access management.
| Group Name | Purpose |
|---|---|
| HR_Read | Read-only access to HR data |
| Finance_Modify | Modify access to Finance data |
| IT_Admin | Administrative privileges |
| Workstation_Users | Standard domain workstation users |
Execute group.ps1 in Scripts
Finance_ModifyHR_ReadIT_AdminWorkstation_Users
A centralized file server (FS01) was configured and joined to the domain.
| Share | Path | Access |
|---|---|---|
| Finance | C:\Shares\Finance |
Finance_Modify – Modify |
| HR | C:\Shares\HR |
HR_Read – Read |
Share permissions were used to control network-level access, while NTFS permissions enforced granular file system security. Effective access was determined by the most restrictive combination of both permission sets, following Microsoft best practices.
-
NTFS permissions enforced least-privilege access
-
Default permissions were removed
-
Access controlled strictly through security groups
Members of Finance_Modify Security group were denied access to HR Shared Folder
- Applied at the domain level
- Password complexity enforced
- Account lockout configured
A dedicated Group Policy Object (GPO) was created to enforce user-level restrictions and linked to the CorpUsers Organizational Unit. This ensures restrictions follow users regardless of the workstation they log into.
- Applied to:
OU=CorpUsers - Policy Type: User Configuration
- Prohibit access to Control Panel and Windows Settings
When a standard domain user attempts to access the Control Panel or Windows Settings, access is denied as expected.
Network drives were automated using Group Policy Preferences.
- Applied at user logon
- Item-level targeting based on
Finance_Modifysecurity group
A computer-based Group Policy Object (GPO) was implemented to restrict the use of removable storage devices across all domain-joined workstations.
- Applied to:
OU=Workstations - Policy Type: Computer Configuration
- Deny all access to removable storage devices
When a USB storage device is inserted into a domain-joined workstation, access is blocked in accordance with the security policy.
A centralized print server was deployed to manage and distribute printers across the domain using Group Policy Preferences and Role-Based Access Control (RBAC).
- Installed Print and Document Services role on the file server
- Configured shared printers for centralized management
A departmental printer was created and shared from the print server for Finance users.
Printers were deployed using Group Policy Preferences to automatically map printers at user logon.
- Deployment Method: Group Policy Preferences
- Action: Update
- Share Path:
\\FS01\Finance_Printer
Item-level targeting was used to ensure the printer is deployed only to authorized users.
- Security Group:
Finance_Modify - Target Type: User group membership
The applied Group Policy Objects (GPOs) were successfully validated across domain-joined client systems. Policy refresh and reporting confirmed that both user-based and computer-based configurations were applied as intended.
gpupdate /forceverified immediate policy application without errors.gpresult /rconfirmed that the correct GPOs were applied to both user and computer scopes.whoami /groupsvalidated Role-Based Access Control (RBAC) by confirming effective security group memberships during user sessions.
End-user testing further confirmed:
- Restricted access to Control Panel and system settings for standard users
- Blocked USB storage devices on managed workstations
- Automatic network drive mapping based on department membership
- Automatic printer deployment using security group targeting
These results demonstrate a correctly scoped, secure, and fully functional Active Directory environment aligned with enterprise best practices.