Assignment 12

Adam Motasem Alhamdan

19th of November 2025

Contents
[Link] Windows Server 2019 .................................................................................. 5
Selecting the Windows Server Edition ......................................................................... 5
Windows Installation Process............................................................................... 6
Completing Installation .......................................................................................... 7
Initial Server Configuration (Server Manager Dashboard) .............................................. 8
Installing Server Roles: AD DS, DNS, DHCP, IIS, and Group Policy Management ......... 8
Promoting the Server to a Domain Controller.............................................................. 9
Preparing the Windows 11 Client Machine ................................................................... 11
Configuring the Network Adapter (Static IP Address Setup) ....................................... 11
Configuring the Windows 11 Client to Connect to the Domain Controller ................... 12
Configuring DNS on the Windows 11 Client ............................................................ 13
Testing Connectivity with Ping ................................................................................. 14
Verifying Client Connectivity to the Domain Controller ............................................. 15
Entering the Domain Name ...................................................................................... 16
[Link] Organizational Units (OUs) and Adding New Users ................................... 17
3. Hosting the IT Services Website Using IIS ................................................................. 23
Creating a New Website ........................................................................................... 23
Configuring DNS for the Custom Hostname .............................................................. 24
Testing the Website on the Windows 11 Client ........................................................... 26
4. Group Policy and Access Control .............................................................................. 27
4.1 Creating a New GPO for HR Restrictions ............................................................ 27
4.2 Blocking Access to Command Prompt and PowerShell .......................................... 27
4.3 Blocking Access to the Control Panel ................................................................... 28
4.4 Blocking Access to Removable Storage (USB Devices) ........................................... 29
4.5 Restricting HR Login Hours (8 AM – 5 PM) ......................................................... 30
 Table of Figures

Windows Server 2019 setup 1....................................................................................6

Windows Server 2019 2 .............................................................................................7
Installing server roles 3 ..............................................................................................9
Promoting to DC 4 ...................................................................................................10
Pathing to The network Configuration 5 .................................................................12
Getting IP of DC 6 ..................................................................................................13
Connecting IP of DC to machine 7 .........................................................................14
Testing Connectivity 8 .............................................................................................14
Machine becoming a part of AD 9 ...........................................................................16
Sucsess 10 ................................................................................................................17
Figure 11 ..................................................................................................................18
Creating user 12 .......................................................................................................19
Password config for user 13 .....................................................................................20
Showing the user made for each ou 14 ....................................................................21
Showing user for each ou 2 15 .................................................................................22
Creating a new website 16 .......................................................................................24
Configuring DNS record 17 ....................................................................................25
Website result 18 ......................................................................................................26
GPO 19 .....................................................................................................................27
Before cmd changes 20 ............................................................................................28
List the disabled cmd and pswh 21 ..........................................................................28
Control panel prohibited 22 .....................................................................................29
Blocked all removable storages 23 ..........................................................................29
Changed the hours 24 ...............................................................................................30
 Setting up Active Directory Lab
In this documentation, I will demonstrate the full setup of an Active Directory environment from
scratch. The objective is to build a functional lab that includes a Domain Controller, DNS,
DHCP, IIS web server, and two Windows 11 client machines.

To complete this setup, a virtualization platform is required. You may use VMware Workstation,
Hyper-V, or VirtualBox. For this lab, I will be using VMware Workstation as the hypervisor.

The operating systems used in the environment are:

• Windows Server 2019 – will function as the Domain Controller (DC), DNS, DHCP, and
IIS server.

• Windows 11 – will act as domain-joined client machines.

This document will walk through each configuration step in detail, including installation,
network setup, domain deployment, user and OU creation, Group Policy configuration, and final
testing.
 [Link] Windows Server 2019
After creating the virtual machine and booting from the Windows Server 2019 ISO, the first step
is to select the edition of Windows Server that will be installed.

Selecting the Windows Server Edition

In this step, I selected Windows Server 2019 Standard Evaluation (Desktop Experience) as
shown in the screenshot below.

• The Desktop Experience option installs the full graphical user interface (GUI).

• This is required for easier management, especially for tasks such as configuring Active
Directory, DNS, DHCP, and IIS.

• The Server Core edition is more lightweight, but it does not include a GUI and is not
necessary for this lab.
Windows Server 2019 setup 1

Windows Installation Process

After selecting the edition, Windows Server begins the installation process. The setup
automatically performs the following tasks:

• Copying Windows files

• Getting files ready for installation

• Installing features and updates

• Finalizing setup
Windows Server 2019 2

Completing Installation
Once the installation completes, the system will restart automatically.
After rebooting, I proceeded to:

• Create the local Administrator password

• Log in to the server for the first time

• Begin configuring network settings in preparation for promoting the server to a Domain
Controller
 Initial Server Configuration (Server Manager Dashboard)
After the installation is complete and I log in for the first time, Windows Server automatically
opens the Server Manager dashboard. This is the main administrative console used to configure
the server, install roles, and manage the network environment.

Installing Server Roles: AD DS, DNS, DHCP, IIS, and Group Policy
Management
Once the initial server configuration is complete, the next step is to install the core roles required
for the domain environment. Using the Add Roles and Features Wizard in Server Manager, I
selected the following essential roles:

• Active Directory Domain Services (AD DS)

• DNS Server

• DHCP Server

• Web Server (IIS) for hosting the IT services website

 • Group Policy Management (for managing domain-wide policies)

The screenshot below shows the installation progress of these roles:

Installing server roles 3

Promoting the Server to a Domain Controller

After installing the required roles (AD DS, DNS, DHCP, IIS, and GPMC), the next step is to
promote the server to a Domain Controller. This process officially creates the Active Directory
environment where users, groups, policies, and computers will be managed.

To begin, I opened the Active Directory Domain Services Configuration Wizard and selected the
deployment type.

Creating a New Forest

Since this is a brand-new lab environment with no existing domain or forest, I selected the
option:
Add a new forest

This creates the top-level structure for the entire Active Directory environment.

Under Root domain name, I entered:

[Link]

This will become the main domain for the lab.

All users, computers, and organizational units will be created under this domain.

Promoting to DC 4
 Preparing the Windows 11 Client Machine
Before joining the domain, I prepared a Windows 11 client machine. This machine will later be
joined to the Active Directory domain to test authentication, policies, and user access.

I installed Windows 11 earlier in the lab setup and ensured it was fully updated. The purpose of
this Windows 11 machine is to act as a domain client, allowing me to verify:

• Domain join functionality

• Group Policy application

• DNS and DHCP services

• User login behavior from the domain

At this stage, the Windows 11 client is configured with default network settings.
The next steps involve connecting it to the Domain Controller by pointing the DNS to the server
and joining the [Link] domain.

Configuring the Network Adapter (Static IP Address Setup)

Before promoting the server to a Domain Controller, it is essential to configure a static IP
address. Active Directory, DNS, and DHCP services require a fixed IP so that client machines
can reliably locate and communicate with the server.

To begin this process, I navigated to:

Control Panel → Network and Internet → Network Connections

The screenshot below shows the available network adapter on the server:
Pathing to The network Configuration 5

Configuring the Windows 11 Client to Connect to the Domain

Controller
After preparing the Windows 11 machine, the next step is to connect it to the Domain Controller.
To do this, the client must use the Domain Controller’s IP address as its DNS server, because
domain joining and Active Directory communication depend entirely on DNS resolution.

Identifying the Domain Controller’s IP Address

On the Domain Controller, I ran the command:

Ipconfig
Getting IP of DC 6

Configuring DNS on the Windows 11 Client

On the Windows 11 machine, I navigated to:

Settings → Network & Internet → Advanced Network Settings → Ethernet → More Adapter
Options

Then opened:

Ethernet Properties → Internet Protocol Version 4 (TCP/IPv4)

Inside the IPv4 settings, I configured:

• Obtain an IP address automatically (client will use DHCP)

• Use the following DNS server addresses:

o Preferred DNS: [Link]

o Alternate DNS: (left blank)

This ensures the Windows 11 client uses the Domain Controller for DNS queries.
Connecting IP of DC to machine 7

Testing Connectivity with Ping

To confirm communication between the client and the Domain Controller, I used the ping
command:

Testing Connectivity 8
 Verifying Client Connectivity to the Domain Controller
With the DNS settings configured and successful ping replies received, we have confirmed that
the Windows 11 client can see and communicate with the Domain Controller. This means the
network path, DNS resolution, and connectivity are working correctly, and the client is now
ready to be joined to the [Link] domain.

Joining the Windows 11 Client to the Domain

After confirming that the Windows 11 client can communicate with the Domain Controller, the
next step is to join the machine to the [Link] domain. Joining the domain allows the
computer to be centrally managed through Active Directory, Group Policies, and domain
authentication.

Opening System Properties

On the Windows 11 client, I navigated to:

Settings → System → About → Advanced system settings

In the System Properties window, under the Computer Name tab, I clicked:

Change…

This opens the Computer Name/Domain Changes dialog box.

Machine becoming a part of AD 9

Entering the Domain Name

Inside the domain settings, I selected:

✔ Domain:
and entered the domain name:

[Link]

Successful Domain Join

After entering the domain name, the system prompted me for domain administrator credentials.
Once authenticated, the machine successfully joined the domain and displayed the confirmation
message:

“Welcome to the [Link] domain.”

Sucsess 10

[Link] Organizational Units (OUs) and Adding New Users

After successfully promoting the server to a Domain Controller, I proceeded to set up the
organizational structure inside Active Directory. This includes creating Organizational Units
(OUs) and domain users as required in the assignment.

Opening Active Directory Users and Computers (ADUC)

From the Server Manager dashboard, I opened:

Tools → Active Directory Users and Computers

This console allows centralized management of domain objects such as:

• Users

• Computers

• Groups

• Organizational Units

The default domain containers are visible under [Link], as shown in the screenshot.
Figure 11

Creating Organizational Units (HR & Technical)

To organize the domain logically, I created the required OUs:

1. HR

2. Technical

These OUs help separate users and apply different Group Policies later in the assignment (such
as website restrictions, PowerShell/CMD blocking, login hours, and more).

Creating a New User Account

Inside the HR Organizational Unit, I created a new domain user.

I went to:

Right-click HR → New → User

In the New Object – User window, I filled in the user details:

 • First name: Adam

• User logon name: Adam

• Full domain logon: Adam@[Link]

After clicking Next, I configured the account password.

Creating user 12

Setting Account Password and Policies

In the password configuration window, I assigned a secure password and applied the
recommended settings:

• User must change password at next logon

This setting ensures the user sets their own password the first time they log in, which is a
common security practice in enterprise environments.

Other optional settings include:

• User cannot change password

 • Password never expires

• Account is disabled

These were left unchecked because they were not required for the lab.

Password config for user 13

Adding Users to the HR and Technical OUs

After creating the Organizational Units (HR and Technical), I proceeded to create the required
user accounts and place them in their corresponding OUs.

This is important because Group Policies will later be applied separately to each OU, allowing
different restrictions and settings for HR users vs. Technical users.

HR Organizational Unit

Inside the HR OU, I created two user accounts:

 • Humam

• Adam

These accounts represent employees in the HR department and will receive HR-specific Group
Policy rules later in the assignment.

Showing the user made for each ou 14

Technical Organizational Unit

Inside the Technical OU, I created two user accounts:

• Yanal

• Ehab

These users belong to the Technical department and will be assigned different privileges and
restrictions than HR users.
Showing user for each ou 2 15
 3. Hosting the IT Services Website Using IIS
After creating the Organizational Units (HR and Technical) and adding all required users, the
next part of the assignment involves setting up a web server using Internet Information Services
(IIS). This internal website will later be used to apply Group Policy restrictions for specific users.

Installing and Opening IIS Manager

IIS was installed earlier through the Add Roles and Features Wizard by enabling the:

• Web Server (IIS)

• Management Tools

• Basic Web Server features

To configure the website, I opened:

Server Manager → Tools → Internet Information Services (IIS) Manager

This opens the main interface where all hosted sites and application pools can be managed.

Creating a New Website

Inside IIS Manager, under the Sites section, I created a new site named mysite.

Here is how it looks and what I put.

Creating a new website 16

Configuring DNS for the Custom Hostname

Since [Link] is not a real internet domain, I created a DNS record inside
the internal DNS server so that domain-joined clients can resolve it.

Steps:
 1. Open DNS Manager

2. Navigate to:
Forward Lookup Zones → [Link]

3. Right-click → New Host (A or AAAA)…

4. Add:

o Name: adamalhamdan

o FQDN: [Link]

o IP: [Link]

This maps the hostname directly to the IIS server.

Configuring DNS record 17

 Testing the Website on the Windows 11 Client
From the domain-joined Windows 11 machine, I opened Microsoft Edge and entered:

[Link]

The website loaded successfully, displaying the default IIS welcome page, confirming:

• DNS resolution works

• IIS is functioning

• The client can access the internal site

Website result 18
 4. Group Policy and Access Control

In this step, I configured multiple Group Policy Objects (GPOs) to control what HR users can
access. The goal is to enforce stricter restrictions on the HR Organizational Unit while keeping
normal functionality for the Technical team.

4.1 Creating a New GPO for HR Restrictions

I started by creating a dedicated GPO named “HR – Block Website”, then linked it to the
HR OU:

GPO 19

4.2 Blocking Access to Command Prompt and PowerShell

To prevent HR employees from running CMD or PowerShell:

Path:

User Configuration → Policies → Administrative Templates → System

After reaching to system we can change Prevent access to the command prompt state
enabled, And then change Don’t run specified Windows applications by changing

State: Enabled

Disallowed apps:

• [Link]

• powershell_ise.exe

• [Link] (PowerShell Core)

Before cmd changes 20

List the disabled cmd and pswh 21

4.3 Blocking Access to the Control Panel

To prevent HR users from modifying system settings:

Path:

User Configuration → Policies → Administrative Templates → Control Panel

Setting Applied:
 • Prohibit access to Control Panel and PC Settings → Enabled

Control panel prohibited 22

4.4 Blocking Access to Removable Storage (USB Devices)

To prevent HR users from using USB flash drives or external storage:

Path:

User Configuration → Policies → Administrative Templates → System → Removable Storage

Access

Blocked all removable storages 23

 4.5 Restricting HR Login Hours (8 AM – 5 PM)
To ensure users can only log in during working hours:

Path:

Active Directory Users and Computers → Select HR Users → Properties → Account → Logon
Hours.

Changed the hours 24