# Active Directory Project

The goal of this project is to gain an understanding of the basics of Active Directory (AD). In this project, I perform some of the key actions administrators are tasked with, from managing users to creating new groups and setting orginational policies. 

The inspiration for this project is from a hypothetical ticket delivered to the service desk, pictured below.

![alt](Images/Ticket.png)

From the above, we can help the admin team with some of their current tickets.

# User Management

In any organization, efficient user management is crucial for maintaining security and ensuring smooth operations. This section focuses on fundamental Active Directory (AD) tasks, including creating new user accounts and managing existing ones, such as unlocking accounts when users are locked out.

## Create new users

![alt](Images/add-user.png)

To add a new user in Active Directory, start by navigating to the appropriate Organizational Unit (OU) where the user will be placed. Right-clicking on the OU and selecting "New" followed by "User" opens the user creation wizard. In this wizard, you'll need to input the user’s details, such as their first name, last name, and logon name.

![alt](Images/add-user2.png)

After entering the necessary information, proceed to set up the account settings, including the initial password and any specific logon requirements, like forcing the user to change their password upon first login. Once all the details are confirmed and configured as needed, finalize the process by clicking "Finish." The new user account will now appear in the selected OU, ready for further configuration or immediate use.

![alt](Images/add-user3.png)

## Unlock User Account

Managing user accounts in Active Directory often includes addressing issues like account lockouts. When a user is locked out due to multiple unsuccessful login attempts, administrators must quickly unlock their account to restore access and maintain productivity.

![alt](Images/unlock-account.png)

To unlock a user account, begin by opening the "Active Directory Users and Computers" console. Use the "Find" option to search for the user by name, such as "Adam Masters," in this example.

![alt](Images/unlock-account2.png)

Once located, right-click on the user’s name and select the "Reset Password" option.

![alt](Images/unlock-account3.png)

In the "Reset Password" dialog, set a new password for the user if needed, and check the "Unlock the user's account" option. This will clear the lockout status. Ensure the "User must change password at next logon" option is selected if required by your organization's security policy. Click "OK" to apply these changes. The user account is now unlocked and ready for the user to access with the updated credentials.

![alt](Images/unlock-account4.png)

# Creating a Group and Organizational Unit (OU)

Organizational Units (OUs) and groups are essential components in Active Directory for managing and organizing resources, users, and permissions effectively. OUs are used to organize objects within a domain into a hierarchical structure, while groups are created to manage user permissions collectively, allowing for streamlined administration.

In this section, we'll demonstrate how to create a new Organizational Unit (OU) named "Security Analysts" and set up a corresponding security group within that OU. This process helps to maintain an organized structure and simplifies the management of users who share similar roles or permissions.

![alt](Images/new-ou.png)

To start, right-click on the desired parent OU, select "New," and choose "Organizational Unit." Enter the name of the new OU, in this case "Security Analysts," and ensure the option to "Protect container from accidental deletion" is checked. This step helps to safeguard against unintentional deletions of the entire OU.

![alt](Images/new-ou2.png)

Next, within the newly created "Security Analysts" OU, right-click and select "New," then choose "Group." We provide a name for the group, "Security Analysts," and set the group scope and type according to the organizational needs.

![alt](Images/new-group.png)

Here, a "Domain Local" scope and "Security" type are selected. Choosing a "Domain Local" scope allows the group to be used to assign permissions to resources within the same domain, which is ideal for managing access to domain-specific resources like file shares, printers, or other domain-joined systems. 

![alt](Images/new-group2.png)

With the security group created, the final step involves adding relevant users to this group. Select the users who need to be part of the "Security Analysts" group, right-click, choose "All Tasks," and then "Add to a group."

![alt](Images/add-user-group.png)

In the "Select Groups" dialog, enter the group name and confirm the selection. This action assigns the selected users to the group, granting them the predefined permissions and access levels.

![alt](Images/add-user-group2.png)

# Setting Group Policies

Group Policy is a powerful feature in Active Directory that allows administrators to manage the configuration and behavior of users and computers within an organization. By creating and applying Group Policy Objects (GPOs), administrators can enforce security settings, deploy software, and manage desktop configurations across all domain-joined machines. This section demonstrates how to create a new GPO for the "Security Analysts" Organizational Unit (OU) and link it to the desired target using PowerShell and the Group Policy Management Console (GPMC).

![alt](Images/PowerShell.png)

To create a new Group Policy Object (GPO), begin by copying an existing GPO template. In this case, the "Logon Banner" GPO is used as a base to create a new GPO named "Security Analysts Control." Using the Copy-GPO cmdlet in PowerShell, specify the source GPO and the target name for the new GPO. Once the GPO is created, it is linked to the appropriate OU using the New-GPLink cmdlet, ensuring the GPO applies to the "Security Analysts" OU specifically. This script-based method provides a quick and efficient way to replicate and apply policies across different parts of the organization. 

![alt](Images/new-gpo.png)

In addition to using PowerShell, you can also create and link a GPO directly within the GPMC. Right-click within the "Group Policy Objects" folder and select "New." Enter the name for the new GPO, such as "Security Analysts Control," and configure it as needed. This method provides a graphical interface for creating and managing GPOs, which can be more intuitive for administrators who prefer working within a GUI environment. This also allows for the linking performed in the second command of our powershell.

![alt](Images/new-gpo2.png)

# Modifying Group policies

Group Policy Objects (GPOs) can be customized to enforce specific security measures and configurations across domain-joined devices. This section demonstrates how to modify a GPO to block access to removable drives for enhanced security and to allow specific user groups, such as Security Analysts, to use the command prompt.

![alt](Images/modify-gpo.png)

To enhance security by preventing unauthorized data transfers, we modify the "Security Analysts Control" GPO to block access to all removable storage devices. Start by right-clicking on the GPO and selecting "Edit" to open the Group Policy Management Editor. Navigate to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access. 

![alt](Images/storage-devices.png)

Here, select the policy "All Removable Storage classes: Deny all access" and set it to "Enabled." This configuration prevents users from accessing any removable storage devices, such as USB drives, ensuring data remains secure within the network.

![alt](Images/storage-device2.png)

While restrictive measures like blocking the command prompt can improve security, certain user groups, such as Security Analysts, require access for their roles. In the "Security Analysts Control" GPO, navigate to User Configuration > Policies > Administrative Templates > System. Find the policy "Prevent access to the command prompt" and set it to "Disabled" for this user group. 

![alt](Images/cmd-prompt.png)

This policy change allows Security Analysts to use the command prompt while keeping it restricted for other users, balancing security needs with operational requirements. 

![alt](Images/cmd-prompt2.png)

# Conclusion

This project demonstrated the essential tasks involved in managing Active Directory, including creating and organizing users, setting up Organizational Units (OUs) and security groups, and configuring Group Policy Objects (GPOs) to enforce security measures. By effectively managing these aspects of Active Directory, administrators can ensure a secure, organized, and efficient IT environment that supports the organization's operational needs. This project highlighted the importance of structured user management, tailored group policies, and the strategic use of PowerShell for streamlined administration. These skills are critical in maintaining a robust and secure network infrastructure.