Back to Recording

Summary

Overview

This course provides a hands-on, step-by-step demonstration of setting up and managing a Windows Server 2022 lab environment using Hyper-V, Active Directory, and Group Policy Objects (GPOs). The trainer builds a domain-based network with a domain controller (DC1), two member servers (Server1 and Server2), and uses GPOs to enforce security policies such as restricting Remote Desktop access, displaying logon banners, and blocking removable storage. The session emphasizes practical configuration, troubleshooting common issues (e.g., execution policies, boot order, GPO application), and real-world administration practices in isolated training environments.

Topic (Timeline)

1. Lab Environment Setup and Domain Controller Configuration [00:00:00 - 00:13:26]

  • The trainer sets up a Hyper-V lab environment using Windows Server 2022 ISO images downloaded from Microsoft’s free evaluation program.
  • A virtual switch named “class lab” is created as an internal network to isolate the lab from the internet.
  • A domain controller (DC1) is provisioned with 4 GB RAM, Generation 1 VM, and assigned a static IP address (192.168.10.x) with no default gateway.
  • The domain is named class.local; the administrator account is class\administrator with password I love ADDC at 2026.
  • DNS is configured to point to the domain controller itself (self-referential DNS).
  • Server1 and Server2 are created as member servers, joined to the domain, and configured for Remote Desktop access.
  • The trainer notes that boot order must be adjusted in VM settings to prevent reinstallation loops (CD/DVD boot priority must be lowered after OS install).

2. Group Policy: Remote Desktop Access Control via User Rights Assignment [00:13:26 - 00:37:40]

  • The trainer demonstrates how to use Group Policy Management Console (GPMC) on DC1 to restrict Remote Desktop access.
  • A new GPO named “lab-fix” is created and linked to the domain.
  • Under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment, the policy “Allow log on through Remote Desktop Services” is modified to include class\student1.
  • The trainer removes “Authenticated Users” from the GPO’s security filtering to target only specific users.
  • gpupdate /force is executed on Server1 to apply the policy.
  • Testing confirms that class\student1 can now RDP into Server1, while previously blocked access is resolved.
  • The trainer explains that administrators have inherent RDP rights, but GPOs can override or extend access for standard users.
  • Automation via scheduled gpupdate /force scripts is mentioned as a best practice for enterprise environments with many machines.

3. Group Policy: Logon Banner Enforcement via Organizational Units (OUs) [00:37:40 - 00:56:38]

  • The trainer creates an OU named “Lab Servers” to logically group Server1 and Server2 for targeted policy application.
  • A new GPO named “computer baseline logon banner” is created and linked to the “Lab Servers” OU.
  • Under Computer Configuration > Policies > Administrative Templates > System > Logon, the policies “Interactive logon: Message title for users attempting to log on” and “Interactive logon: Message text for users attempting to log on” are configured with a warning message (e.g., “Authorize users only. If you are not authorized, get out now.”).
  • gpupdate /force is run on Server1, followed by a reboot.
  • Upon login as class\student1, the banner message appears, confirming successful GPO application.
  • The trainer emphasizes the importance of using OUs to scope policies to specific groups of computers (e.g., IT, Engineering) rather than applying policies broadly.

4. Group Policy: User-Level Lockdown via Security Filtering [00:56:38 - 01:18:09]

  • A new user account, class\student2, is created in Active Directory under a new OU named “Lab Users”.
  • A new security group “Lab GPO Test Users” is created and populated with student1 and student2.
  • A new GPO named “User Lockdown” is created and linked to the “Lab Users” OU.
  • Under User Configuration > Policies > Administrative Templates > Control Panel, “Prohibit access to the Control Panel” is enabled.
  • “Authenticated Users” is removed from the GPO’s security filtering, and “Lab GPO Test Users” is added to restrict the policy to only those users.
  • gpupdate /force is executed on Server1, and upon logging in as student2, the Control Panel is blocked.
  • The trainer confirms the policy works as intended and contrasts it with administrator privileges, which remain unaffected.

5. Group Policy: Removable Storage Lockdown and Lab Wrap-Up [01:18:09 - 01:40:29]

  • The trainer transitions to Lab 3: Security Hardening via removable storage control.
  • The GPO “lab 3 exercise 3 removable storage lockdown” is created and linked to the “Lab Servers” OU.
  • Under Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access, policies to deny read/write access to all removable storage devices are configured.
  • The trainer notes that existing GPOs may need refreshing due to prior deletions or misconfigurations.
  • The session ends with the trainer acknowledging the complexity of enterprise environments (e.g., managing 800+ servers) and the value of tools like gpresult /r for verifying applied policies.
  • The trainer concludes by emphasizing the importance of structured naming, OU organization, and targeted GPO application for scalable, secure administration.

Appendix

Key Principles

  • Isolation: Use internal virtual switches to create secure, isolated lab networks.
  • Static IPs: Domain controllers must have static IP addresses to ensure consistent DNS resolution.
  • GPO Scope: Use Organizational Units (OUs) to group computers/users and apply policies precisely.
  • Security Filtering: Remove “Authenticated Users” and add specific groups/users to avoid unintended policy application.
  • Policy Refresh: Always run gpupdate /force after GPO changes and reboot if necessary for full enforcement.

Tools Used

  • Hyper-V Manager
  • Windows Server 2022 ISO (free evaluation)
  • Group Policy Management Console (GPMC.msc)
  • PowerShell (for gpupdate, gpresult)
  • Active Directory Users and Computers (dsa.msc)

Common Pitfalls & Troubleshooting

  • Boot Order Issues: VMs may reboot into installation media if CD/DVD boot priority is not lowered after OS install.
  • Execution Policy: Fresh Windows installs block script execution; use Set-ExecutionPolicy Bypass -Force to run lab scripts.
  • GPO Not Applying: Verify GPO is linked to correct OU, security filtering is correct, and gpupdate /force was run.
  • Password Complexity: Training passwords are intentionally weak (I love ADDC at 2026); never use in production.
  • GPO Refresh Delay: Some policies require reboot; use gpresult /r to verify applied policies.

Practice Suggestions

  • Recreate the entire lab environment from scratch using Hyper-V and Windows Server 2022.
  • Create additional GPOs to:
    • Block USB storage for specific users.
    • Enforce screen saver timeout and password protection.
    • Disable Command Prompt for non-admins.
  • Use gpresult /r and rsop.msc to audit policy application on client machines.
  • Practice moving computers between OUs and observe policy inheritance changes.