Task 1: Account Lockout GPO

For security and compliance reasons, the CIO needs anaccount lockoutpolicy implemented on our Windows workstation. Anaccount lockoutdisables access to an account for a selected period of time after a set number of failed login attempts. This policy will defend against brute-force attacks, in which attackers can rapidly enter a million password within a couple minutes.

It's important to note a few considerations about account lockouts. Refer to the documentationhere. You'll only need to read theAccount Lockout TradeoffsandBaseline Selectionsections.

To summarize, anoverlyrestrictive account lockout policy (For example: locking an account for 10 hours after 2 failed attempts), can potentially keep an account locked out forever, if an attacker repeatedly attempts to access it in some automated way.

Instructions

• So, keeping that in mind, you are tasked with setting an account lockout group policy for the Windows 10 VM that you deem is reasonable. Use the nameAccount Lockoutfor this Group Policy Object.
• You can choose to go with Microsoft's10/15/15recommendation if you wish.
• When creating the GPO in your Windows Server VM, keep in mind that you're looking for computer configuration policies to apply to yourGC ComputersOU.
• Document your reasoning for your specific lockout policy.
• Link the GPO to the OU your Windows 10 VM is in.

Task 2: Create a File Share for the Developers

For this task refer to theCreate a File Share for the Sales Teamsection in the followingguide, then complete the following:

• Within the Windows Server VM, use the referenced guide to create a network file share nameddevand add theDevelopmentgroup as permitted users.
• Add theWritepermission.
• Disable inheritance and convert inherited permissions to explicit permissions.
• Remove the twoUser (GOODCORP\Users)principals.
• Log into the Windows 10 VM asGOODCORP\Andrewwith the password:Ilovedev!.
• Open the file explorer and test the new file share by replacing the current navigation URL (it will probably be set to something likeThis PCorC:\Users\etc.) to\\(your-AD-computer-name)\dev.

Note: You should have set the Windows Server VM name toadduring one of your earlier activities. If you did that step successfully, you want to navigate to\\ad\devwithin the file explorer to access the network file share.

Bonus 1: Login asGoodCorp\Boband attempt to access all file shares

• Repeat the same process in the Windows Server VM to set up the file share and permissions so that theSalesgroup can access a new file share namedSales.
• In the Windows 10 VM, login asGoodCorp\Bob, and test the user's access to\\(your-AD-computer-name)\sales.
• While still logged in asBob, attempt to access\\(your-AD-computer-name)\dev. What happens?

Bonus 2: Comparing SIDS for the Sales and Dev Teams

Using theshared guideas a reference, retrieve the SIDs for yourDomainand then theSalesandDevelopergroups.

You can use and edit the following PowerShell commands within the Windows Server VM to double-check SIDs and RIDs.

• Get-ACL \\(your-AD-computer-name)\dev | Format-List
• Get-ADPrincipalGroupMembership -Identity Bob | Format-Table -Property Name, SID
• Get-ADUser -Filter * | Format-List Name, SID

After completing this bonus task, it's important to understand that these are the access control rules that align groups to resource permissions.

Task 3: Create a logon script GPO

Before you begin:

• You need to ensure that you have the\\(your-AD-computer-name)\Devfile share set up fromTask 2. If you haven't completed those steps, do them now.

Instructions

The CIO also wants to make life easier and more automated for our new developers. He wants developers to immediately have a PowerShell window ready as soon as they log into a domain-joined Windows 10 workstation (VM).

In order to do this, we're going to need to create a script that will execute via a group policy whenever a developer logs into a machine.

You are tasked with creating a project folder for our developers within the Windows Server VM and then create a GPO that executes a script when the developer logs into the Windows 10 VM. While you're creating that GPO, you'll need to create the script that launchesPowershellto the project folder.

Set up theProjectsfolder for Developers

• Within the Windows Server VM, create aProjectsfolder in theDevfileshare directory by navigating toC:\Shares\Dev. You'll notice that your file shares exist in thisC:\Sharesdrive within the Windows Server VM.

Create theLaunch CodeGPO.

We need a developer team group policy that will launchPowerShellwhen they login.

• Within the Windows Server VM, create aGPOcalledLaunch Code.
• Edit the policy inUser Configuration -> Policies -> Windows Settings -> Scripts(Logon/Logoff). You'll find the settings you need to set inPropertiesor by double-clicking theLogonpolicy name.
• Choose thePowerShell Scriptstab.
• ClickAddto add a PowerShell script. For theScript Name, clickBrowseto see where these scripts launch from.
• Right-click and go toNew,Text Document. Name it whatever you want.
• With theBrowsewindow still open, right click that new file and selectEditto openNotepad. Enter in the following script while replacing the(your-AD-computer-name)placeholder with your Windows Server VM computer name:

start powershell -WorkingDirectory \\(your-AD-computer-name)\dev\Projects 

After logging into an account within the developer group, this script will launchPowerShellat the file share directory:\\(your-AD-computer-name)\Dev\Projects.

• Go toFile,Save As, and name the filelaunchcode.ps1and save as theAll Filestype. ClickSave. This will save a new file as a Powershell script.
• Right-click and delete the original text document you created.

Now all that's left is to test it!

• On the Windows 10 VM, log in asGoodCorp\Andrewwith the password:Ilovedev!.
• After logging in as the developer,Andrew, you should see a PowerShell window open when you log in! And if you inspect the PowerShell window, you will see that you are working within thedev\Projectsfileshare directory!

Submission Guidelines:

Provide the following for each step:

• Deliverable 1:Submit a note of your reasoning for your account lockout policy.
• Deliverable 2:Submit a screenshot of yourAccount Lockout PoliciesinGroup Policy Management Editor. It should show the three values you set under the columns,PolicyandPolicy Setting.
• Deliverable 3:Submit a screenshot of what happens after you log in as Andrew after setting up the login script.