{"id":1278,"date":"2025-12-25T06:31:36","date_gmt":"2025-12-25T06:31:36","guid":{"rendered":"https:\/\/yairmartinezcybersecurityportfolio.com\/?p=1278"},"modified":"2025-12-27T00:04:39","modified_gmt":"2025-12-27T00:04:39","slug":"active-directory-lab-environment-policy-security-and-automation","status":"publish","type":"post","link":"https:\/\/yairmartinezcybersecurityportfolio.com\/?p=1278","title":{"rendered":"Active Directory Lab \u2014 Environment, Policy, Security, and Automation"},"content":{"rendered":"\n<p>This post provides a high-level walkthrough of my Active Directory lab environment.<br>The intent is not to document every step, but to show how the environment is structured, how policies and security controls are applied, and how automation supports day-to-day operations.<\/p>\n\n\n\n<p>The full technical documentation, scripts, and validation steps are maintained on GitHub.<br>This post focuses on how the environment works as a complete system.<\/p>\n\n\n\n<p><strong>GitHub repository:<\/strong> <a href=\"https:\/\/github.com\/yairemartinez\/active-directory-labs\">https:\/\/github.com\/yairemartinez\/active-directory-labs<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Environment Overview<\/p>\n\n\n\n<p>This lab is built around a single Active Directory domain hosted on Windows Server 2022.<br>It includes multiple Windows 11 Pro clients, centralized identity management, Group Policy enforcement, security hardening, recovery mechanisms, and PowerShell automation.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Active Directory Structure and Identity Management<\/p>\n\n\n\n<p>[ Active Directory Users and Computers showing domain, OUs, users, and computers]<\/p>\n\n\n\n<div class=\"wp-block-stackable-image-box stk-block-image-box stk-hover-parent stk-block stk-7c69cd1 is-style-default\" data-block-id=\"7c69cd1\"><style>.stk-7c69cd1 {margin-bottom:0px !important;}<\/style><div class=\"stk-block-content stk-inner-blocks has-text-align-center stk-row stk-block-image-box__content\">\n<div class=\"wp-block-stackable-image stk-block-image stk-block stk-e03c061\" data-block-id=\"e03c061\"><style>:where(.stk-hover-parent:hover,  .stk-hover-parent.stk--is-hovered) .stk-e03c061 .stk-img-wrapper::after{background-color:#000000B3 !important;}<\/style><figure><span class=\"stk-img-wrapper stk-image--shape-stretch\"><img loading=\"lazy\" decoding=\"async\" class=\"stk-img wp-image-1312\" src=\"https:\/\/yairmartinezcybersecurityportfolio.com\/wp-content\/uploads\/2025\/12\/aduc-3.gif\" width=\"1254\" height=\"633\"\/><\/span><\/figure><\/div>\n\n\n\n<div class=\"wp-block-stackable-column stk-block-column stk-column stk-block stk-9e4044d\" data-v=\"4\" data-block-id=\"9e4044d\"><style>.stk-9e4044d {align-items:center !important;display:flex !important;}<\/style><div class=\"stk-column-wrapper stk-block-column__content stk-container stk-9e4044d-container stk--no-background stk--no-padding\"><div class=\"stk-block-content stk-inner-blocks stk-9e4044d-inner-blocks\"><\/div><\/div><\/div>\n<\/div><\/div>\n\n\n\n<p>This view shows the Active Directory domain (lab.local) hosted on DC01, including Organizational Units for users and computers.<br>                                                                                                                                                                                                 Users are grouped under OU=LabUsers, computers under OU=LabComputers, and built-in containers are left intact.<\/p>\n\n\n\n<p>This structure allows Group Policy and delegated permissions to be applied cleanly without affecting privileged or system accounts.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Group Policy and Delegation<\/p>\n\n\n\n<p>[Group Policy Management Console showing linked GPOs]<\/p>\n\n\n\n<div class=\"wp-block-stackable-image-box stk-block-image-box stk-hover-parent stk-block stk-1873f54 is-style-default\" data-block-id=\"1873f54\"><div class=\"stk-block-content stk-inner-blocks has-text-align-center stk-row stk-block-image-box__content\">\n<div class=\"wp-block-stackable-image stk-block-image stk-block stk-6ca7b39\" data-block-id=\"6ca7b39\"><style>.stk-6ca7b39 .stk-img-wrapper{width:100% !important;height:442px !important;}:where(.stk-hover-parent:hover,  .stk-hover-parent.stk--is-hovered) .stk-6ca7b39 .stk-img-wrapper::after{background-color:#000000B3 !important;}<\/style><figure><span class=\"stk-img-wrapper stk-image--shape-stretch\"><img loading=\"lazy\" decoding=\"async\" class=\"stk-img wp-image-1308\" src=\"https:\/\/yairmartinezcybersecurityportfolio.com\/wp-content\/uploads\/2025\/12\/gpo-1.gif\" width=\"1254\" height=\"639\"\/><\/span><\/figure><\/div>\n\n\n\n<div class=\"wp-block-stackable-column stk-block-column stk-column stk-block stk-34a5fc1\" data-v=\"4\" data-block-id=\"34a5fc1\"><style>.stk-34a5fc1 {align-items:center !important;display:flex !important;}<\/style><div class=\"stk-column-wrapper stk-block-column__content stk-container stk-34a5fc1-container stk--no-background stk--no-padding\"><div class=\"stk-block-content stk-inner-blocks stk-34a5fc1-inner-blocks\"><\/div><\/div><\/div>\n<\/div><\/div>\n\n\n\n<p>Group Policy Objects are linked at the OU level to enforce user and computer settings across the domain.<br>                                                                                                                                                                                              Policies shown here include user restrictions, mapped drives, folder redirection, and delegated permissions.<\/p>\n\n\n\n<p>Delegation allows the Helpdesk group to reset passwords and unlock accounts in OU=LabUsers without granting full administrative access, reflecting least-privilege practices used in real environments.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Core Infrastructure Services (DHCP and DNS)<\/p>\n\n\n\n<p>[DHCP management console showing scope and options]<\/p>\n\n\n\n<div class=\"wp-block-stackable-image-box stk-block-image-box stk-hover-parent stk-block stk-d231a0c is-style-default\" data-block-id=\"d231a0c\"><style>.stk-d231a0c {margin-bottom:0px !important;}<\/style><div class=\"stk-block-content stk-inner-blocks has-text-align-center stk-row stk-block-image-box__content\">\n<div class=\"wp-block-stackable-image stk-block-image stk-block stk-35830bb\" data-block-id=\"35830bb\"><style>.stk-35830bb .stk-img-wrapper{width:100% !important;height:359px !important;}:where(.stk-hover-parent:hover,  .stk-hover-parent.stk--is-hovered) .stk-35830bb .stk-img-wrapper::after{background-color:#000000B3 !important;}<\/style><figure><span class=\"stk-img-wrapper stk-image--shape-stretch\"><img loading=\"lazy\" decoding=\"async\" class=\"stk-img wp-image-1315\" src=\"https:\/\/yairmartinezcybersecurityportfolio.com\/wp-content\/uploads\/2025\/12\/dhcp-1.gif\" width=\"1125\" height=\"468\"\/><\/span><\/figure><\/div>\n\n\n\n<div class=\"wp-block-stackable-column stk-block-column stk-column stk-block stk-67ac484\" data-v=\"4\" data-block-id=\"67ac484\"><style>.stk-67ac484 {align-items:center !important;display:flex !important;}<\/style><div class=\"stk-column-wrapper stk-block-column__content stk-container stk-67ac484-container stk--no-background stk--no-padding\"><div class=\"stk-block-content stk-inner-blocks stk-67ac484-inner-blocks\"><\/div><\/div><\/div>\n<\/div><\/div>\n\n\n\n<p>The Domain Controller also provides core infrastructure services for the lab network (10.0.0.0\/24).<br>DHCP is configured with a defined IPv4 scope, DNS options pointing to DC01, and client reservations to ensure consistent addressing.<\/p>\n\n\n\n<p>These services allow domain-joined systems to reliably locate Active Directory, DNS, and Group Policy services.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Recovery and Operational Readiness<\/p>\n\n\n\n<p>[Active Directory Administrative Center showing Deleted Objects \/ Recycle Bin]<\/p>\n\n\n\n<div class=\"wp-block-stackable-image-box stk-block-image-box stk-hover-parent stk-block stk-05e1034 is-style-default\" data-block-id=\"05e1034\"><style>.stk-05e1034 {margin-bottom:0px !important;}<\/style><div class=\"stk-block-content stk-inner-blocks has-text-align-center stk-row stk-block-image-box__content\">\n<div class=\"wp-block-stackable-image stk-block-image stk-block stk-f94833e\" data-block-id=\"f94833e\"><style>.stk-f94833e .stk-img-wrapper{width:100% !important;height:432px !important;}:where(.stk-hover-parent:hover,  .stk-hover-parent.stk--is-hovered) .stk-f94833e .stk-img-wrapper::after{background-color:#000000B3 !important;}<\/style><figure><span class=\"stk-img-wrapper stk-image--shape-stretch\"><img loading=\"lazy\" decoding=\"async\" class=\"stk-img wp-image-1319\" src=\"https:\/\/yairmartinezcybersecurityportfolio.com\/wp-content\/uploads\/2025\/12\/recyclebin-1.gif\" width=\"1250\" height=\"640\"\/><\/span><\/figure><\/div>\n\n\n\n<div class=\"wp-block-stackable-column stk-block-column stk-column stk-block stk-3db6b58\" data-v=\"4\" data-block-id=\"3db6b58\"><style>.stk-3db6b58 {align-items:center !important;display:flex !important;}<\/style><div class=\"stk-column-wrapper stk-block-column__content stk-container stk-3db6b58-container stk--no-background stk--no-padding\"><div class=\"stk-block-content stk-inner-blocks stk-3db6b58-inner-blocks\">\n<div class=\"wp-block-stackable-subtitle stk-block-subtitle stk-block stk-72e8024\" data-block-id=\"72e8024\"><style>.stk-72e8024 {margin-bottom:8px !important;opacity:0 !important;}:where(.stk-hover-parent:hover,  .stk-hover-parent.stk--is-hovered) .stk-72e8024{opacity:1 !important;}.stk-72e8024 .stk-block-subtitle__text{color:#FFFFFF !important;}<\/style><p class=\"stk-block-subtitle__text stk-subtitle has-text-color has-white-color\">Subtitle for This Block<\/p><\/div>\n<\/div><\/div><\/div>\n<\/div><\/div>\n\n\n\n<p>Recovery capabilities are built into the environment to support real operational scenarios.<br>The Active Directory Recycle Bin is enabled, allowing deleted users and groups to be restored with attributes and group memberships intact.<\/p>\n\n\n\n<p>This provides fast object-level recovery without requiring authoritative restores or full system recovery.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Client-Side Policy and Security Enforcement<\/p>\n\n\n\n<p>[Windows 11 client showing applied policies]<\/p>\n\n\n\n<div class=\"wp-block-stackable-image-box stk-block-image-box stk-hover-parent stk-block stk-0c7f660 is-style-default\" data-block-id=\"0c7f660\"><style>.stk-0c7f660 {margin-bottom:0px !important;}<\/style><div class=\"stk-block-content stk-inner-blocks has-text-align-center stk-row stk-block-image-box__content\">\n<div class=\"wp-block-stackable-image stk-block-image stk-block stk-5e6afa9\" data-block-id=\"5e6afa9\"><style>.stk-5e6afa9 .stk-img-wrapper{width:100% !important;height:423px !important;}:where(.stk-hover-parent:hover,  .stk-hover-parent.stk--is-hovered) .stk-5e6afa9 .stk-img-wrapper::after{background-color:#000000B3 !important;}<\/style><figure><span class=\"stk-img-wrapper stk-image--shape-stretch\"><img loading=\"lazy\" decoding=\"async\" class=\"stk-img wp-image-1284\" src=\"https:\/\/yairmartinezcybersecurityportfolio.com\/wp-content\/uploads\/2025\/12\/ShareX_Vul8AFl8Tl.gif\" width=\"1920\" height=\"947\"\/><\/span><\/figure><\/div>\n\n\n\n<div class=\"wp-block-stackable-column stk-block-column stk-column stk-block stk-5a70ee4\" data-v=\"4\" data-block-id=\"5a70ee4\"><style>.stk-5a70ee4 {align-items:center !important;display:flex !important;}<\/style><div class=\"stk-column-wrapper stk-block-column__content stk-container stk-5a70ee4-container stk--no-background stk--no-padding\"><div class=\"stk-block-content stk-inner-blocks stk-5a70ee4-inner-blocks\"><\/div><\/div><\/div>\n<\/div><\/div>\n\n\n\n<p>From the Windows 11 client perspective, domain policies and security controls are applied automatically.<\/p>\n\n\n\n<p>This includes user restrictions, mapped resources, folder redirection, and security hardening features such as LAPS and BitLocker.<\/p>\n\n\n\n<p>Policies follow the user across multiple workstations, demonstrating centralized management rather than device-specific configuration.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Automation and Day-to-Day Operations<\/p>\n\n\n\n<p>PowerShell is used to automate common administrative workflows, including bulk user provisioning and help desk account management.<\/p>\n\n\n\n<p>Automation reduces manual effort, enforces consistency, and supports least-privilege operations by running under delegated permissions rather than full administrative access.<\/p>\n\n\n\n<p>Remote management is handled through PowerShell Remoting, allowing systems to be administered without relying on interactive RDP sessions.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Closing Summary<\/p>\n\n\n\n<p>This Active Directory lab demonstrates a complete environment rather than isolated configurations.<br>It brings together identity management, policy enforcement, infrastructure services, security hardening, recovery planning, and automation into a single, cohesive system.<\/p>\n\n\n\n<p>The GitHub repository contains the full technical documentation and scripts.<br>This post serves as a visual overview of how the environment is structured and how it operates in practice. Thanks for reading. \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post provides a high-level walkthrough of my Active Directory lab environment.The intent is not to document every step, but to show how the environment is structured, how policies and security controls are applied, and how automation supports day-to-day operations. The full technical documentation, scripts, and validation steps are maintained on GitHub.This post focuses on [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1290,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[65,1,64],"tags":[61,62,63],"class_list":["post-1278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-projects","category-windows","tag-active-directory","tag-dhcp","tag-dns"],"_links":{"self":[{"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=\/wp\/v2\/posts\/1278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1278"}],"version-history":[{"count":19,"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=\/wp\/v2\/posts\/1278\/revisions"}],"predecessor-version":[{"id":1347,"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=\/wp\/v2\/posts\/1278\/revisions\/1347"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=\/wp\/v2\/media\/1290"}],"wp:attachment":[{"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yairmartinezcybersecurityportfolio.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}