Context
A company has 3 sites, each with 1 Windows server:
- SRV-CHA (AD) in Chassignieu (company headquarters)
- SRV-VIR in Virieu
- SRV-BLA in Blandin
Each site contains 2 departments:
- Administrative
- Technical
And the headquarters contains 3:
- Management
- Administrative
- Technical
Organization Units (OU) Structure
โถ๏ธSRV-CHAโโโ ๐จโ๐ฆโ๐ฆManagementโ โโโ GG-CHA-DIRโ โโโ ๐งCEOโ โโโ ๐งHRโโโ ๐จโ๐ฆโ๐ฆAdministrativeโ โโโ GG-CHA-ADMโ โโโ ๐งADM1Cโโโ ๐จโ๐ฆโ๐ฆTechnical โโโ GG-CHA-TECH โโโ ๐งTECH1C
โถ๏ธSRV-VIRโโโ ๐จโ๐ฆโ๐ฆAdministrativeโ โโโ GG-VIR-ADMโ โโโ ๐งADM1Vโโโ ๐จโ๐ฆโ๐ฆTechnical โโโ GG-VIR-TECH โโโ ๐งTECH1V
โถ๏ธSRV-BLAโโโ ๐จโ๐ฆโ๐ฆAdministrativeโ โโโ GG-BLA-ADMโ โโโ ๐งADM1Bโโโ ๐จโ๐ฆโ๐ฆTechnical โโโ GG-BLA-TECH โโโ ๐งTECH1BThe GG (Global Groups) link users to LGs.
They group all users from the same department.
Each user belongs to their departmentโs GG.
Shares and Permissions
โถ๏ธSRV-CHAโโโ ๐DATA-CHAโ โโโ ๐Tech-Commonโ โ โโโ ๐GL-SRV-CHA-DATA-TECH-COMMON-FCโ โโโ ๐Adm-Commonโ โ โโโ ๐GL-SRV-CHA-DATA-TECH-COMMON-FCโ โ โโโ ๐GL-SRV-CHA-DATA-ADM-COMMON-Rโ โโโ ๐Adm-Chassignieuโ โ โโโ ๐GL-SRV-CHA-DATA-ADM-CHASSIGNIEU-FCโ โ โโโ ๐GL-SRV-CHA-DATA-ADM-CHASSIGNIEU-Rโ โโโ ๐Tech-Chassignieuโ โ โโโ ๐GL-SRV-CHA-DATA-TECH-CHASSIGNIEU-FCโ โโโ ๐Management | ๐GL-SRV-CHA-DATA-MANAGEMENT-FCโ โโโ ๐Investmentsโ โโโ ๐HRโโโ ๐PROFILES-CHAโโโ ๐DBASE-CHA
โถ๏ธSRV-VIRโโโ ๐DATA-VIRโ โโโ ๐Adm-Virieuโ โ โโโ ๐GL-SRV-VIR-DATA-ADM-VIRIEU-FCโ โ โโโ ๐GL-SRV-CHA-DATA-ADM-VIRIEU-Rโ โโโ ๐Tech-Virieuโ โโโ ๐GL-SRV-VIR-DATA-TECH-VIRIEU-FCโโโ ๐PROFILES-VIRโโโ ๐DBASE-VIR
โถ๏ธSRV-BLAโโโ ๐DATA-BLAโ โโโ ๐Adm-Blandinโ โ โโโ ๐GL-SRV-BLA-DATA-ADM-BLANDIN-FCโ โ โโโ ๐GL-SRV-CHA-DATA-ADM-BLANDIN-Rโ โโโ ๐Tech-Blandinโ โโโ ๐GL-SRV-BLA-DATA-TECH-BLANDIN-FCโโโ ๐PROFILES-BLAโโโ ๐DBASE-BLAWe will use the above topology for this entire practical work.
The steps detailed below indicate the procedure to follow to create each element.
Creating an OU
OU Organizational Unit is an element in Active Directory that allows us to manage a set of elements.
In the diagram above, we can see there are โsub-Organizational Unitsโ:
For example: The user: CEO is located in SRV-CHA > Management
So in the sub-OU Management which depends on SRV-CHA
- Go to server
SRV-CHA(active directory):
Creating a GG
A Global Group allows grouping one or more users.
Creating a User
Creating an LG
LG (Local Domain Groups) apply rights to resources.
FC Full Control
R Read
Creating the โDATAโ shared folder
Enable Access-based Enumeration
Enabling enumeration shows only the folders that the user has access to.
Linking a User to GG
Linking a GG to LG
Applying an LG to Shared Directory
Allows applying permissions to the shared path.
Base Folder
The base folder is simply an empty directory for each user, where they can store their documents for example. This folder is in a shared path.
Create network share
Link base folder to user
Mapping Network Drives
Each user will automatically map 3 network drives to their session (common, partitioned, and base folder, depending on their location), using the script assigned to them:
Chassignieu:
net use Y: \\SRV-CHA\DATA-CHA$Note
Contains only 2 since both Common and Partitioned folders are in DATA-CHA
Virieu:
net use Y: \\SRV-CHA\DATA-CHA$net use Z: \\SRV-VIR\DATA-VIR$Blandin:
net use Y: \\SRV-CHA\DATA-CHA$net use Z: \\SRV-BLA\DATA-BLA$Example: Letโs take the example of a user in Blandin:
-
X:will contain the shared directory\\SRV-BLA\DBASE-BLA$\USER_NAME -
Y:will contain the common shared directory\\SRV-CHA\DATA-CHA$(user will only see folders where they have access (minimum read) from the common share). -
Z:will contain the shared directory\\SRV-BLA\DATA-BLA$if Iโm in Blandin (user will only see folders where they have access (minimum read), site partitioning).
Create scripts
Link script to user
Roaming Profiles
Roaming Profiles facilitate machine or location changes. The user profile is stored remotely on a shared directory.
Create shared directory
Link profile to user
Testing a Domain User
Warning
You must be a local administrator of the machine to join the domain.