INTRODUCTION
In this exercise, you will practice configuring important security and recovery features in Active Directory. These settings make sure that your organization’s accounts are protected and that administrators can recover objects if they’re deleted by mistake.
Here’s the scenario: You are the IT administrator of a company that uses Active Directory to manage all its users and computers. To keep the company secure, you need to ensure that:
- All users follow a standard password policy (for example, requiring a minimum length and complexity). This helps protect against simple or weak passwords that hackers could guess.
- Domain Administrators, who have the highest level of access, must follow an even stricter password policy because if their accounts are compromised, the entire company is at risk.
- If someone accidentally deletes an important account, group, or even a whole Organizational Unit (OU), you can use the Active Directory Recycle Bin to quickly restore it without starting from scratch.
By completing this exercise, you will learn how to:
- Apply a domain-wide password policy that affects every account in the system.
- Create a fine-grained password policy that gives tighter security rules just to sensitive groups (like Domain Admins).
- Enable the Recycle Bin, a critical safety net that protects against accidental deletions and makes recovery much easier.
These are common tasks that IT administrators perform to balance security and usability, while also preparing for mistakes that happen in real-world environments.
Part 1 – Configure Domain Password Policy
This sets the basic password rules for the entire domain.
Steps:
On TAILWIND-DC1, open Server Manager.
From the Tools menu, select Group Policy Management.
In the Group Policy Management console:
Expand forest: tailwindtraders.internal → Domains → tailwindtraders.internal.
Right-click Default Domain Policy → choose Edit.
In the Group Policy Management Editor:
Go to:
Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy.
Double-click Minimum password length.
Change the value to 14 characters and click OK.
Close the Group Policy Management Editor and then close Group Policy Management.
Part 2 – Configure Fine-Grained Password Policy
This creates a stricter password rule for the Domain Admins group only.
Steps:
On TAILWIND-DC1, open Server Manager.
From the Tools menu, select Active Directory Administrative Center.
In the left pane, click Tailwindtraders (local).
In the middle pane, open the System container.
Inside System, open the Password Settings Container.
Right-click Password Settings Container → choose New → Password Settings.
Name: Domain Admin Password Policy
Precedence: 1
Minimum password length: 16 characters
Click OK.
Open the newly created policy (Domain Admin Password Policy).
In the Directly Applies To section: Click Add.
Type Domain Admins.
Click Check Names → OK → OK.
Part 3 – Enable Active Directory Recycle Bin
This allows you to recover accidentally deleted AD objects (like users or OUs).
Steps:
On TAILWIND-DC1, open Server Manager.
From the Tools menu, select Active Directory Administrative Center.
In the left pane, click Tailwindtraders (local).
In the right pane, select Enable Recycle Bin.
When a warning appears → click OK.
Another warning will appear about replication latency → click OK again.
Conclusion
In this exercise, we successfully configured Group Policy for password policies, ensuring stronger protection of user accounts by enforcing rules such as password length, complexity, and expiration. These settings help maintain security across the system by reducing the risk of weak or compromised passwords.
In the next exercise, we will build on this foundation by learning how to configure security settings, which will allow us to further strengthen and customize the overall security of the system environment.
Top comments (0)