Part 4: Enterprise Active Directory Structure and Security Policy Framework

Part 4: Enterprise Active Directory Structure and Security Policy Framework

With the Windows 11 workstation successfully joined to the domain, the next phase of the project focused on organizing and securing the Active Directory environment.

In many lab environments, users and computers remain in their default Active Directory containers. While this approach may work for basic testing, it does not accurately reflect how enterprise environments are structured or managed. To better simulate a real organization, the Active Directory environment was designed using Organizational Units (OUs), security groups, and Group Policy Objects (GPOs).

This structure provides a foundation for identity management, role-based access control, policy enforcement, and centralized administration.

The Active Directory hierarchy was organized beneath the lab.local domain and divided into several organizational units representing different departments and infrastructure components. Dedicated OUs were created for cybersecurity personnel, finance users, IT administrators, Security Operations Center (SOC) analysts, domain workstations, and standard user accounts.

Organizing resources in this manner allows administrative controls and security policies to be applied based on business function rather than individual users. It also simplifies management as the environment grows.

Once the Organizational Unit structure was established, user accounts were created and assigned to their respective departments. This transformed the environment from a simple collection of systems into a realistic enterprise simulation with multiple user roles and varying access requirements.

Domain-joined systems were also organized within Active Directory. The Windows 11 workstation, WIN11-GRP1, was placed in the appropriate Organizational Unit, enabling centralized management through Group Policy.

To further simplify administration, security groups were created for each department. Rather than assigning permissions directly to users, access rights can be managed through group membership. This approach reflects real-world enterprise practices and significantly improves scalability.

With the organizational structure in place, attention shifted toward policy enforcement.

Group Policy Objects were configured and linked to the appropriate Organizational Units to establish security controls across the environment. Through Group Policy, administrators can define how systems behave, what users can access, and which security standards must be enforced.

Several controls were implemented, including password complexity requirements, account lockout policies, auditing configurations, endpoint security settings, and user restrictions. These policies ensure that all systems maintain a consistent security baseline regardless of their location within the environment.

To validate the deployment, the Windows 11 workstation was tested to ensure that policies were being successfully received and applied. The client authenticated against Active Directory, resolved domain resources through DNS, and processed the assigned Group Policy Objects without issue.

The next phase of validation focused on user authentication.

A domain user account named Analyst One (analyst1) was selected from the Lab Users Organizational Unit and used to log into the Windows 11 workstation. Successful authentication demonstrated that user credentials were being validated through Active Directory rather than local workstation accounts.

Once logged in, the user profile was loaded successfully, confirming end-to-end integration between Active Directory, DNS, and the domain-joined endpoint.

To test privilege separation, an attempt was made to launch Command Prompt with administrative privileges using the standard domain account. Access was denied, and the system requested administrator credentials before proceeding.

This behavior is significant because it demonstrates that role-based access control is functioning correctly. Standard users were unable to perform administrative actions without authorization, reflecting the principle of least privilege that is commonly implemented in enterprise environments. However, one can access using Administrator's credentials if they have that level of clearance.

However, from the information displayed on the command prompt, users within the SOC Department organizational unit were subject to additional restrictions through Group Policy. Specifically, access to Command Prompt was restricted for standard SOC users. This policy was intentionally configured to demonstrate how administrative controls can be applied to specific departments through centralized management.

The restriction highlights one of Active Directory's greatest strengths: the ability to control endpoint behavior from a single management platform. Rather than configuring each workstation individually, administrators can deploy policies that automatically apply to entire groups of users or systems.

Beyond improving security, these controls also generate valuable security telemetry. Failed privilege escalation attempts, policy violations, and restricted application executions can all be collected and forwarded to Splunk for monitoring and analysis. This creates opportunities for detection engineering, threat hunting, and incident response simulations later in the project.

At this stage, the Cyber Lab now possesses a fully functional identity and access management framework. Users, groups, policies, and workstations are centrally managed through Active Directory, providing the enterprise foundation required for realistic attack simulations, defensive operations, and security monitoring activities.