*All credit for this lab goes to Simokid on GitHub. This is my walkthrough.
Security Groups, Mapped Drives, Personal Drives, Permission Management
In Part 7 we will focus on configuring Security Groups, Mapped Drives, Personal Drives, Permission Management.
On Windows Server 2022 in the Server Manager go to “File and Storage Services” and right click to create a new Share. We are creating the Mapped and Personal Drives.
Do the same process but this time name the Share “Personal”.
Now we will create a Security Group by going to Active Directory Users and Computers.
Go to “Advanced” and find the helpdesk account and then click on it.
Do the same process but create a group called “Personal” run by the HelpDesk account.
Go back to the “Shares” folder and copy the Network Path and paste it into the Description of the Personal Security Group in Active Directory Users and Computers.
Repeat the same process for the HR Security Group and then go to HR “Properties” and go to “Members” then add the local user “Naruto” to the group.
Add the local user Naruto to the Personal Security Group as well.
Then we can verify that Naruto was added successfully to the Security Groups.
Now we will set the correct permissions. GO to the Shares folder and right click the “Personal” folder and click “Properties”. Then follow the steps below.
Select the first option “Convert inherited permissions…”.
Now remove the “Users”.
Now add HelpDesk as a “Principal” and give it Modify permissions.
Do the same process for the group “Personal”.
Go to the “Sharing” tab in Personal Properties and change Personal’s Permission Level to Read/Write. Click “Share”.
Do the same process with the HR folder.
Give the HR group “read/write” properties in the sharing properties.
Check the local user Naruto’s access to the HR folder. Login to Windows 10 (Employee). Type “\\Server2022\HR” into the address bar.
We can map the Personal drive in a different way by going to Windows Server 2022.
Then we go back to Windows 10 (Employee) logged in as the local user Naruto and we map the network drive again and create the drive for Naruto.
Now we can see both the Personal drive and HR drive are mapped.
Windows 10 Remote Access: Remote Desktop, Remote Registry
In Part 8 we will configure remote access for Windows 10, practice with the Remote Registry tool to manage registry settings, configuring and using Remote Desktop to manage Windows machines, and utilizing C$ administrative share.
First, we will allow remote connections to Naruto’s PC. Open Windows 10 (Employee). Go to “About your PC” and then “Advanced system settings”. Click the circle for “Allow remote connections to this computer” and then “Select Users”
Add HelpDesk as one of the Remote Desktop Users.
Since Remote Desktop is enabled go to Windows 10 (Helpdesk) and we will remotely connect to Windows 10 (Employee) on Naruto’s account.
As a help desk professional remotely connecting to Naruto’s PC, we can create a new folder for him.
We can also manage the content of Naruto’s AppData directory. To access the AppData type AppData in the file directory bar.
Next, we can disconnect from Remote Desktop and then log into Naruto’s account on Windows 10 (Employee). We can see the new folder “Test” that we created from the Windows 10 (Helpdesk) while connected to Remote Desktop.
On Windows 10 (Employee) open CMD and type “net use” to see all the network drives mapped on the system.
Another way to see the network drives is to go to “Services” and enable “Remote Registry”. For “Services” run it as administrator and login using HelpDesk credentials.
Now back on Window 10 (Helpdesk), open “Registry Editor” and follow these steps.
Under “HKEY_USERS” after browsing the directory we see that in the “Network” directory we can see the shared drives that are mapped to our system, “P” and “Z”.
We can use the “C$” command to get remote access to the C drive on Windows 10 (Employee) / Desktop2. We do this from Windows 10 (Helpdesk).To do this type “\\Desktop2\c$” into the File Directory bar at the top left.
Delete the “Test” folder we created earlier on Naruto’s Desktop. Then go to Windows 10 (Employee) and login to Naruto’s account. The “Test” folder is not there anymore.
RSOP, Group Policy, Task Manager, and Disable Logoff
In Part 9, we will focus on RSOP (Resultant Set of Policy) to generate reports on the policies applied to computers and users in the domain. Then we will configure Group Policy to change logoff policies and Task Manager access. Troubleshoot policy application issues using RSOP and Group Policy tools.
First, log into Windows Server 2022 and we will disable Task Manager. Go to the “Server Manager” then “Tools” then “Group Policy Management”.
Under “Group Policy Objects” we can configure the Task Manager policy and disable it.
After enabling “Remove Task Manager” and “Remove Change Password” go back to “Group Policy Management” and drag and drop “Task Manager” into “HR”.
Right click on “Task Manager” in “HR” and then right click on “Enforced” to enact enforcement of the policy.
Now, login to Naruto’s account on Windows 10 (Employee) and open CMD and type this command “gpupdate /force” to refresh the Group Policy settings for this computer and user.
Now you can see by right clicking on the task bar that “Task Manager” is greyed out.
Press “ctrl+alt+del” and you can see “Change Password” is no longer there either, which means the Group Policy was changed successfully.
Check which policies have been applied to Naruto’s computer by going to CMD and inputting the command “gpresult /r”. For example, we can see the Task Manager policy we created under “Applied Group Policy Objects”.
If you type the command “taskmgr” a notification about Task Manger’s being disabled pops up.
Now open CMD as an administrator and run the command “taskmgr”. Task Manager should open because you bypass the disable Task Manager policy as an admin.
Now go onto the Windows Server 2022 computer and open “Group Policy Management”. We will create a Group Policy report.
After clicking “Next” I received this error message.
To fix it I logged into Naruto’s account on Windows 10 (Employee) and ran “Services” as administrator. Then I started running the service RPC Locator. Both RPC and RPC Locator must be running.
