Simulated a full university-style Windows Server 2022 environment with Active Directory, secure file server, Group Policy automation, and FSRM for data governance. Built using VMware virtualization to mimic real enterprise infrastructure.
- Project Overview
- Architecture Diagram
- Infrastructure & Identity Setup
- File Server Engineering
- Group Policy Automation
- Security & FSRM
- Troubleshooting
- Skills Demonstrated
- Lesson learned
This lab simulates a real-world enterprise Active Directory environment for a university scenario. The environment includes:
- Domain Controller (Windows Server 2022) named as: UNI-DC
- Member File Server named "Uni-FS."
- Client PCs (Windows 10/11)
- Secure file storage with advanced NTFS permissions
- Group Policy automation for drive mapping and folder redirection
- File Server Resource Manager (FSRM) for file screening
- Enable access based Enumeration
- Virtualized setup using VMware/Hyper-V
The network topology of the lab environment:
- DC1: Domain Controller (technova.edu)
- Uni-FS: Member File Server
- Client PC: Domain-joined Windows 10/11
- DNS: Points to DC1
In this step, the Active Directory domain and foundational identity structure were built to simulate a real enterprise environment.
- Installed Windows Server 2022 and configured Domain Controller (DC1).
- Created Active Directory domain: technova.edu.
- Designed Organizational Units (OUs) to logically separate accounts:
- Students OU
- Staff OU
- Admins OU
- Created Security Groups for scalable permission management:
- Business_Students
- Staff_Group
- Admin_Group
- Joined secondary server Uni-FS to the domain for file server integration.
- Entire environment virtualized using VMware/Hyper-V.
To demonstrate the setup and provide visual proof:
-
AD Structure & Security Groups
Shows the OU hierarchy and groups created.
-
Domain Controller Roles (Optional but recommended)
Shows that AD DS and DNS roles are installed and domain name istechnova.edu.
-
Member Server Join (Optional but recommended)
Shows that Uni-FS is successfully joined to the domain.
The Uni-FS member server was configured as a centralized storage system for student report submissions.
- Deployed secondary Windows Server (Uni-FS) and joined it to the domain.
- Configured SMB network share: Business_Report_Submission.
- Designed a secure “Drop-Box” permission model using NTFS.
- Implemented Creator Owner to ensure users automatically become owners of their uploaded files.
- Enabled Access-Based Enumeration (ABE) to hide unauthorized folders from users.
- Applied Security Group-based access control instead of per-user permissions.
- Students:
- Can upload reports.
- Cannot view other students’ files.
- Admins:
- Full Control for oversight and management.
-
SMB Share Configuration (Server Side)
-
NTFS Advanced Permissions – Creator Owner Implementation (Server Side)
-
Access-Based Enumeration (ABE) Enabled (Server Side)
-
Student View – Secure Drop-Box Model in Action (Client Side)
Group Policy Objects (GPOs) were implemented to automate user experience and enforce centralized management.
- Created GPO to automatically map U: Drive to the file server upon login.
- Configured Folder Redirection for the Documents folder to store user data on Uni-FS.
- Ensured persistent access to files across multiple client machines.
- Verified policy application using:
- gpupdate /force
- gpresult /r
-
GPO Drive Mapping Configuration
-
gpresult Verification Output
File Server Resource Manager (FSRM) was deployed to enforce storage governance and prevent misuse.
- Installed File Server Resource Manager role on Uni-FS.
- Created Active File Screening policy.
- Blocked high-risk and non-academic file types:
- .exe (prevent malware / unauthorized software)
- .mp3
- .mp4
- Enforced policy in real-time using Active Screening.
- Reduce malware risk.
- Prevent storage abuse.
- Enforce controlled file submission standards.
- Active File Screen Configuration
During implementation, multiple issues were identified and resolved:
- Encountered "Name Not Found" error while assigning permissions.
- Verified domain connectivity.
- Confirmed Global Catalog availability.
- Restarted server to clear cached credential issues.
- Identified incorrect DNS settings on client and file server.
- Reconfigured systems to use Domain Controller as primary DNS.
- Validated domain authentication after correction.
- Forced policy update using gpupdate /force.
- Verified applied policies using gpresult /r.
- Active Directory Domain Services (AD DS)
- DNS Configuration & Troubleshooting
- NTFS & SMB Permission Engineering
- Security Group-Based Access Control
- Access-Based Enumeration (ABE)
- Group Policy Management
- File Server Resource Manager (FSRM)
- Identity & Access Management (IAM)
- Windows Server Administration
- Enterprise Infrastructure Simulation
- Technical Troubleshooting & Root Cause Analysis
During this lab project, I gained hands-on experience in building and managing an enterprise-style Windows Server environment. Key lessons included:
- Understanding the difference between SMB share permissions and NTFS permissions, and how both layers work together to secure files.
- Implementing Access-Based Enumeration (ABE) to provide a secure, user-friendly drop-box model.
- Designing Organizational Units (OUs) and Security Groups for scalable identity and access management.
- Automating user experience with Group Policy Objects (GPOs), including drive mapping and folder redirection.
- Troubleshooting real-world issues such as DNS misconfigurations and AD permission lookup errors.
- Realizing the importance of testing both server-side configuration and client-side results to ensure security and usability.
- Gaining confidence in virtualization, networking, and enterprise-level file governance practices.