Enforcing Security and User Restrictions via Group Policy in a Windows Domain
Overview
This lab demonstrates how to create and enforce a client hardening policy using Group Policy in an Active Directory environment. The policy includes settings for password complexity, a login banner, and user interface restrictions like disabling Control Panel access.
| Skills Demonstrated |
|---|
| Creating a comprehensive security GPO with both computer and user configurations |
| Enforcing password complexity and length requirements via Group Policy |
| Setting a logon message and title for legal or informational notices |
| Restricting user access to the Control Panel through User Configuration |
| Organizing users and computers into separate OUs for structured policy targeting |
| Linking and applying multi-scope GPOs across multiple Organizational Units |
| Verifying GPO success through startup behavior and user restrictions |
| Tools Used |
|---|
| Windows Server (Active Directory Domain Services) |
| Windows 10 |
| Group Policy Management Console (gpmc.msc) |
| Group Policy Management Editor |
| Active Directory Users and Computers (dsa.msc) |
| Windows Settings |
1. Environment Setup
- Installed a Windows Server VM
- Created a local Administrator account
- Installed Active Directory Domain Services (AD DS)
- Promoted the server to a Domain Controller with the domain name:
lab.local
- Created a domain user:
- Name: John Doe
- Logon Name:
j.doe
2. Create Organizational Units
- Created LabComputers OU and added the Windows Client VM
- Created TestUsers OU and added John Doe
3. Create and Configure Client Hardening Policy
- Created a new GPO: Client Hardening Policy
4. Enforce Password Complexity
- Navigated to:
Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy - Set:
- Minimum password length: 10
- Password must meet complexity requirements: Enabled
5. Set Login Banner
- Navigated to:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options - Set:
- Interactive logon: Message title for users attempting to log on: "Message title"
- Interactive logon: Message text for users attempting to log on: "Message text"
6. Disable Control Panel
- Navigated to:
User Configuration > Administrative Templates > Control Panel - Enabled: Prohibit access to Control Panel
7. Link GPO to OUs
- Linked Client Hardening Policy to both LabComputers and TestUsers
8. Verify Policy Application on Client
- Upon login to the Windows Client, verified:
- Login banner with set title and message appears
- Control Panel access is blocked with an error message
