wrightcyber.com

Active Directory Lab (Centerpiece)

Domain build + baseline GPO + file server shares/permissions. Built to mirror real-world Windows infrastructure.
domain ad.wrightcyber.lab netbios WRIGHTCYBER dc Windows Server 2022 vms DC01 / WS01 / SRV01 network Hyper-V NAT status in progress

overview

what this proves
skills
AD DS + DNS deployment, domain join workflow, OU/group design (AGDLP), baseline GPO, SMB shares + NTFS permissions, validation + troubleshooting.
deliverables
A working domain, repeatable build steps, evidence screenshots, and a troubleshooting log. Later: downloadable summary PDF.
This project is the foundation for the rest of the lab. The automation and troubleshooting projects will build on this environment.

topology

vm inventory
Diagram coming soon. For now, here’s the VM inventory and roles.
Host OS Role Notes
DC01 Windows Server 2022 Standard Domain Controller (AD DS) + DNS Authoritative DNS for ad.wrightcyber.lab
WS01 Windows 11 Domain-joined client Used for GPO validation and access testing
SRV01 Windows Server 2022 Standard Member server / File server SMB shares + NTFS permissions (AGDLP)
Networking: Hyper-V NAT switch so VMs can reach the internet for updates while staying isolated from the home network.

objectives

definition of done
  • DC01 promoted, AD DS + DNS healthycore
  • WS01 joined to domain, domain users can log incore
  • SRV01 joined, file shares createdcore
  • OU structure + users/groups created (AGDLP)core
  • Baseline GPO applied and verified (gpresult/RSOP)core
  • End-to-end access test: correct access + denied access proofproof

build plan

phases
phase 1
Hyper-V networking + VM builds
NAT vSwitch, create DC01/WS01/SRV01, baseline OS installs.
phase 2
DC01 promote (AD DS + DNS)
Create forest: ad.wrightcyber.lab, verify DNS + AD health.
phase 3
Join WS01 + SRV01
Set client DNS to DC01, join domain, validate login.
phase 4
OUs + users + groups (AGDLP)
Create standard departments, groups, and role-based access model.
phase 5
Baseline GPO
Password/lockout, RDP policy, basic auditing, update policy (later).
phase 6
File server shares + permissions
SRV01 shares + NTFS, validate access and denied access.
phase 7
Validation + evidence capture
Screenshots, commands used, and troubleshooting notes.

naming + ip plan

standards
Domain: ad.wrightcyber.lab • NetBIOS: WRIGHTCYBER
VM names: DC01, WS01, SRV01
DNS rule: domain members point to DC01 for DNS (common join/trust issues come from wrong DNS).
IP plan will be documented once the vSwitch subnet is finalized. (NAT vSwitch keeps this isolated.)

ad design

ou + group strategy
Department-driven OU layout with AGDLP group model for scalable permissions.
Area Standard Notes
OUs Workstations, Servers, Users, Groups, Admins Keep policy targets clean (WS vs Servers vs Users)
Accounts Separate admin accounts (after build) Use a “build” account initially; create admin accounts before hardening
Groups AGDLP Accounts → Global Groups → Domain Local Groups → Permissions

gpo baseline

policy + verification
account policies
Password + lockout
Set domain password policy and lockout threshold; verify on WS01.
remote access
RDP restrictions
Limit RDP to an admin group; validate denied access with standard user.
audit
Basic auditing
Enable core audit categories; prove events are generated in Event Viewer.
Verification method: gpresult /r or RSOP on WS01 + screenshot of applied policies.

file server + permissions

SRV01 • AGDLP
Goal: realistic SMB shares + NTFS permissions using AGDLP (scales cleanly).
Department Global Group (Users) Domain Local Group (Permission) Share/NTFS
HR GG_HR_Users DL_HR_RW \\SRV01\HR (Modify)
Finance GG_FIN_Users DL_FIN_RW \\SRV01\Finance (Modify)
IT GG_IT_Users DL_IT_RW \\SRV01\IT (Modify)
All Staff GG_All_Users DL_Public_RW \\SRV01\Public (Modify)
Proof plan: log into WS01 as an HR user → access HR share ✓ → attempt Finance share ✗ (screenshot denied).

validation & proof

screenshots to capture
  • DC01 promotion success (Server Manager / AD DS)screenshot
  • DNS resolution working (nslookup internal names)screenshot
  • WS01 domain join success + domain loginscreenshot
  • GPO applied proof (gpresult / RSOP)screenshot
  • SRV01 shares created + permissions viewscreenshot
  • Access allowed + denied access evidencescreenshot

troubleshooting log

short entries
Add issues as they happen. Keep it: Symptom → Cause → Fix → Prevention.
placeholder
Domain join fails
Likely cause: client DNS points to router instead of DC01.
placeholder
Kerberos / time skew
Likely cause: time difference between client and DC.

build log

Click on a date to expand
loading…

downloads

optional
  • AD Lab Summary PDFcoming soon
  • Topology diagram imagecoming soon
  • GPO backup/exportlater
© wrightcyber.com

appendix

jump
overview topology objectives build plan naming + ip plan ad design gpo baseline file server + permissions validation & proof troubleshooting log build log downloads