Enforcing Security and User Restrictions via Group Policy in a Windows Domain

Overview

This lab demonstrates how to create and enforce a client hardening policy using Group Policy in an Active Directory environment. The policy includes settings for password complexity, a login banner, and user interface restrictions like disabling Control Panel access.

Skills Demonstrated
Creating a comprehensive security GPO with both computer and user configurations
Enforcing password complexity and length requirements via Group Policy
Setting a logon message and title for legal or informational notices
Restricting user access to the Control Panel through User Configuration
Organizing users and computers into separate OUs for structured policy targeting
Linking and applying multi-scope GPOs across multiple Organizational Units
Verifying GPO success through startup behavior and user restrictions
Tools Used
Windows Server (Active Directory Domain Services)
Windows 10
Group Policy Management Console (gpmc.msc)
Group Policy Management Editor
Active Directory Users and Computers (dsa.msc)
Windows Settings

1. Environment Setup

  • Installed a Windows Server VM
  • Created a local Administrator account
  • Installed Active Directory Domain Services (AD DS)
  • Promoted the server to a Domain Controller with the domain name: lab.local
  • Created a domain user:
    • Name: John Doe
    • Logon Name: j.doe

2. Create Organizational Units

  • Created LabComputers OU and added the Windows Client VM
  • Created TestUsers OU and added John Doe

3. Create and Configure Client Hardening Policy

  • Created a new GPO: Client Hardening Policy

4. Enforce Password Complexity

  • Navigated to:
    Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy
  • Set:
    • Minimum password length: 10
    • Password must meet complexity requirements: Enabled

5. Set Login Banner

  • Navigated to:
    Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  • Set:
    • Interactive logon: Message title for users attempting to log on: "Message title"
    • Interactive logon: Message text for users attempting to log on: "Message text"

6. Disable Control Panel

  • Navigated to:
    User Configuration > Administrative Templates > Control Panel
  • Enabled: Prohibit access to Control Panel

7. Link GPO to OUs

  • Linked Client Hardening Policy to both LabComputers and TestUsers

8. Verify Policy Application on Client

  • Upon login to the Windows Client, verified:
    • Login banner with set title and message appears
  • Control Panel access is blocked with an error message