*All credit for this lab goes to Simokid on GitHub. This is my walkthrough.
Windows 10 (Helpdesk): Join PC to Domain, RSAT Tool, Server Manager
For Part 4, we will create a new Windows 10 VM. We will join the Windows 10 machine to the SimoTech.com domain, use the RSAT tool to perform some administrative tasks, and utilize Server Manager to manage the domain and roles in the server.
The first step is to download a Windows 10 .iso file. You can download it here: https://www.microsoft.com/en-us/software-download/windows10
Once it’s finished downloading we create a new machine in VirtualBox.
After this, click “Finish” and then start the machine. Now it’s time to install Windows 10.
After installing, the machine will automatically restart.
Now our Windows 10 virtual machine is ready.
Now that we have both of our virtual machines, we want to configure the network so that our WIndows 10 machine is in the domain and both machines can interact with each other. So, close Windows 10 and open Windows Server 2022.
Now, we are going to modify the network settings for the virtual machine. Click “Devices” in the VM taskbar.
Change Adapter 1 from “Attached to: NAT” to “Attached to: Host-only Adapter”.
After this, open Windows 10 and go to “Computer Management”.
By default the Administrator account is disabled. Uncheck this box.
Sign out of the user account, and login as the Administrator account.
The User account can be accessed without a password, so we will remove the account to prevent any unauthorized access or security breaches.
We sign out again to make sure that the User account has been successfully deleted and that the password protected Administrator account is the only account available. This hardens the security of our Windows 10 machine.
The next step is to download the RSATs ( Remote Server Administration Tools) to enable access to Active Directory on a local level.
After installing the RSATs we need to restart the machine.
We can verify to see that the RSATs are installed.
Add the Windows 10 machine to the SimoTech.com domain. First, change the Windows 10 computer name to “Desktop1”.
Restart again. Then go to Microsoft Edge and download Google Chrome. Then in Chrome download TeamViewer Full Client 64-bit. TeamViewer will allows us to access other machines remotely and fulfill our Helpdesk duties.
Now we must configure the network and assign a static IP for our Windows 10 machine to join it with the SimoTech.com domain. Do it just how we did previously with the Windows Server 2022 machine.
Go to the network settings for the virtual machine like we did previously with the WIndows Server 2022 machine and change the adapter from being attached to NAT to being attached to Host-only Adapter.
We have established the static IPs and networks, so now we will perform a ping test to see if our machines can connect to each other. I had to have my Windows Server 2022 machine open at the same time as the Windows 10 machine in order to successfully ping it.
Since the machines can connect to each other we can join the WIndows 10 machine to the SimoTech.com domain. Make sure the Windows Server 2022 machine is open alongside the WIndows 10 machine.
Verify that the Windows 10 machine was joined to the domain successfully by opening Windows Server 2022 and going to “Active Directory Users and Computers”
Create a password for the HelpDesk user account, and then log back into the Windows 10 machine with it.
We have successfully joined the Windows 10 machine to the SimoTech.com domain. We downloaded the RSATs, Team Viewer, and Google Chrome.
Windows 10 (Employee) : Join PC to Domain with Local User, Group Policy, and RSOP Reports
For Part 5, we will create a new Windows 10 machine. This new machine will act as a typical user, an employee. It will be used for testing. Use the same Windows 10 .iso file the we used for our previous Windows 10 machine.
Then click finish and then start up the machine to install the WIndows 10 OS.
After selecting “Windows 10 Pro”, select “Custom: Install Windows only (advanced)”.
After Windows 10 is done installing select “Personal Use” and then “Offline account”. Create a “User” account but don’t assign a password.
We have successfully created the Windows 10 (Employee) machine or Desktop2. Now we will create a user for this computer. Open Windows 10 (Helpdesk) or Desktop1. Make sure Windows Server 2022 is running alongside it. So all of our 3 machines will be running together.
On Windows 10 (Helpdesk) open “ Active Directory Users and Computers”. Create 2 organizational units. One called “HR” and another called “IT”.
Now we will create a new user in Active Directory. Right click on “Users” and follow the steps.
Now we will move our new user, “Naruto”, into the HR organizational unit. Right click on “Naruto” and click “Move” and then select “HR” and “OK”. Also move the user “Helpdesk” into the IT organizational unit. To verify their user creation click “View” in the top bar and “Advanced Features”. Then verify the user is in the correct organizational unit.
Go to Server Manager and click “Tools” and then “Group Policy Management.”
Let’s look at the group policy for the domain controller.
This domain policy report is crucial for Helpdesk because it provides all policy information related to user accounts. For example we can see that under Account Lockout Policy that the account lockout threshold is set to “0 invalid logon attempts”. This poses a security risk, because a malicious user can attempt to login an infinite amount of times, making the account susceptible to brute force attacks. We can edit this policy and harden the accounts security.
After configuring the Account Lockout Policy, we can configure the Password Policy.
Now we must “Enforce” these policies.
Verify that the policies have been changed successfully by refreshing the page. Now the report has our edited policy.
Now go back to Windows 10 (Employee) and change the computer name to “Desktop2” and then restart the machine.
After the restart is complete, we can enable the Administrator account. After going to “Administrator Properties” in “Computer Management”, make sure you uncheck the “Account is disabled” option. Then set the password for the administrator.
Now sign out and login to the Administrator account.
After logging into the Administrator account we will remove the user login screen to make the machine more secure.
Now we will configure the network for Windows 10 (Employee) and assign a static IP address.
Now that we have joined Windows 10 (Employee) to the SimoTech.com domain and configured the network. We will go to Windows 10 (Helpdesk) and verify that Windows 10 (Employee) (Desktop2) was added to the domain successfully.
After Windows 10 (Employee) has restarted, login to the local user account “Naruto”.
After logging in as the local user, perform a ping test to ensure that Desktop2 can connect to the domain controller.
Use “ipconfig” to ensure proper network configuration.
Lastly, use the command “net use Naruto /domain” to see if our local user can access domain resources with valid credentials.
Now we have finished Part 5 of the lab. Tasks completed:
Joined Desktop 2 to the SimoTech.com domain as a local user on a Windows 10 machine
Configured and analyzed policy settings
Navigated Group Policy Management
Performed administration and troubleshooting, using CMD and generating Resultant Set of Policy (RSOP) reports
Exploring Active Directory Issues & Troubleshooting with CMD
In Part 6, we will learn how to spot and fix typical Active Directory problems like users being unable to log in or accounts getting locked. We will use CMD to troubleshoot issues with domain access, account verification, and similar problems. We will also practice what to do when a computer is disconnected from the domain—checking its network connection and domain status. Throughout this, we’ll get comfortable using logs, CMD, and networking tools to figure out what’s wrong and how to fix it.
First, we will ping the Windows Server 2022 machine from the local user account, Naruto, on the Windows 10 (Employee) machine. The ping Windows 10 (Employee) from Windows Server 2022.
We see the ping test for Windows Server 2022 to Windows 10 (Employee) failed. This issue is coming from the firewall on Windows 10 (Employee), Windows Defender. We must disable the firewall.
After disabling Windows Defender, go back to WIndows Server 2022 and perform the ping test again. Now the ping is successful.
We can prolong the ping test and allow Windows Server 2022 to ping it indefinitely by entering “ping 12.1.10.4 -t”. This will allow us to see network activity over a longer period of time. The standard ping test sends only 4 packets, which is good to see simply if one machine can connect to another machine. But if we want a more in depth look at the connectivity this command can be useful. The pinging will end only if Windows 10 (Employee) is shutdown or if we end the ping inside the command prompt.
Go back to Windows 10 (Employee) on the local user Naruto account. Open the command prompt as Administrator, using the HelpDesk login credentials, and type this command “gpresult /r > c:\results.txt”. This command will create a group policy report for the PC and store it in the C: drive.
There is no data yet, so the report gives us this message…
To see a list of commands that update multiple Group Policy settings, use the command “gpupdate /help”.
Use the command “Gpresult /?” to display a list of available options for the command.
Use the command “gpresult /r /USER Naruto” to see the RSOP (Resultant Set of Policy) report for the local user Naruto.
One common problem Helpdesk faces is user lockout. Test this by signing out of the local user account and intentionally entering in the wrong password multiple times.
On Windows 10 (Helpdesk) we will act as the helpdesk professional helping the employee who has been locked out. Go to “Active Directory Users and Computers” and search for the locked out user “Naruto”.
Now we can login to the locked out account.
Next, we’ll simulate the issue where Naruto’s account is disabled and he forgets the password.
Now, as a helpdesk professional we can go and enable his account and assign him a new password since he forgot it.
Now you can assign a new password to Naruto’s account.
Now we’ll simulate another issue where the local user’s account expires due to inactivity or because an administrator set an expiration date. Go to “Naruto” in Active Directory Users and Computers. Set the account expiration date to a date that’s already passed.
If a user’s account expires the helpdesk professional can resolve the issue by setting the account expiration date to “Never”.
Now we can login to Naruto’s account again.
We can make sure Naruto’s account is valid by going into the HelpDesk account and running the command “net user Naruto /domain”. We can see that the account is active and that the account never expires.
Next, we will simulate the issue where a computer has fallen off of the domain.
Try to login in on the WIndows 10 (Employee) machine with the HelpDesk credentials.
Sometimes we can simply fix this issue by enabling the computer.
Now, we will simulate the same issue but in a different way. Go to the Active Directory on the HelpDesk machine and delete Desktop2.
Now create a new user that we will use to test with.
Try to login on Desktop2 with the Test account and we should see and error.
To add Desktop2 back into the domain log into the administrator account with “.\administrator” and enter the password.
After successfully logging in as the administrator go to “About my PC” then go to “Advanced system settings” then “change” and change “Member of” to “Workgroup”. Then restart.
After restarting, login as Administrator and repeat the same process but now change the domain back to “SimoTech.com”.
After restarting, go back to Windows 10 (Helpdesk) and we can see in Active Directory Users and Computers that Desktop2 has been added back to the domain.
Now we have finished Part 6 of the lab. Tasks completed:
Handled frequent issues in Active Directory, like user login problems or account lockouts
Used Command Prompt tools to troubleshoot and fix domain connection and authentication problems
Solved cases where a computer was disconnected from the domain by checking network settings and domain membership
