Skip to content

Module7

Jump to bottom
natalie363 edited this page Oct 21, 2022 · 2 revisions

In this lab, I configured a Windows Server Core machine as a file server and added it to my DC server for ease of management. I used the sconfig feature to configure hostname, accounts, and networking. Remembering to first add the new server to DNS, I then joined it to the domain. On my DC, I had to add File Service tools and File Server Resource Manager Tools in order to manage the file server. I then added FS01 to Server Manager on the DC. Following that, I made some organizational units and group policies, which I'll go further into below.

Features of Microsoft Server Core

  • Functions almost entirely on the command line - must know PowerShell
  • Typically managed remotely
  • Contains similar functionality to a GUI Windows server
  • Uses fewer resources, since there's no GUI
  • The lack of a GUI also leads to a smaller attack surface

Setting Up Group Policy

An existing policy limited access to the file server so that only people in the Sales group (which was created as an OU in Active Directory) could access it. This policy was meant to automatically populate a shared drive into the users' File Explorer.

  • Enter Group Policy Management
  • Left click to create a new GPO (or Group Policy Object) and link it to the domain
  • This policy will be created in User Configuration Preferences, within the Group Policy Management Editor
  • Right-click the option Map Drives, and create a new mapped drive
  • A window will appear with many options
  • Your action should be Update, since this will propagate any changes made to the drive mapping each time the policy reapplies
  • The location is simply the file path to the server that you wish to map the drive to, using proper UNC formatting (\server_name\path\resource)
  • The reconnect box should be checked
  • The Show This Drive option should also be checked

To Apply the Policy:

  • Remove Authenticated Users from the Security Filtering setting
  • Add the user group who should be affected by the policy - in this case, Sales-Users
  • Add Domain Computers - Since it's a user-based policy, it should be allowed to be seen all PCs
  • In the Delegation tab, deny Domain Computers' rights to apply group policy. They should have read-only permissions

Test the Policy

  • Restart the affected PC or run the command gpupdate /force
  • Log in with a relevant user account
  • Ensure that the policy has been applied with the command gpresult /r
  • Test to ensure that the applied policy is functioning as intended
Clone this wiki locally