Active Directory Basics

Step 9 — Bonus Tasks (Highly Recommended)

These optional tasks mirror common real-world Active Directory responsibilities. They are not required to complete the lab, but they significantly deepen your understanding of how AD is used in production.

Important note

These tasks introduce concepts you’ll see daily in real environments. In production, changes like these are usually planned, reviewed, and documented. For this lab, you’re free to experiment.

1. Configure Password Policy (Domain-Wide)

Password policies are enforced at the domain level using Group Policy.

Lab context

In real environments, the Default Domain Policy is usually kept minimal or replaced with fine-grained password policies. Editing it here is acceptable for learning purposes.

  1. Open Group Policy Management
  2. Expand Forest → Domains → lab.local
  3. Right-click Default Domain Policy Edit
  4. Navigate to:
Computer Configuration
 → Policies
 → Windows Settings
 → Security Settings
 → Account Policies
 → Password Policy
  • Configure Maximum password age
  • Configure Minimum password length

2. Create a Basic Logon Script

Logon scripts execute automatically when users sign in and are commonly used to map network drives, set environment variables, or display messages.

What is SYSVOL?

SYSVOL is a special shared folder on every domain controller that stores files which must be accessible to all domain users — including Group Policy objects and logon scripts.

When a user logs in, their computer automatically pulls scripts and policies from SYSVOL.

  1. Create a new text file named logon.bat
  2. Add the following line:
echo Welcome to the domain
  1. Save the file to the domain’s SYSVOL share
  2. The full path will look like:
C:\Windows\SYSVOL\sysvol\lab.local\scripts
  1. Open Active Directory Users and Computers
  2. Open a user account
  3. On the Profile tab, enter logon.bat in the Logon script field

The script name is enough — Active Directory automatically looks for it inside the SYSVOL scripts folder.

While logon scripts are less common today, they are still frequently encountered in legacy and hybrid environments.

3. Delegate Password Reset Permissions to Helpdesk

Delegation allows non-admin users to perform limited administrative tasks.

  1. Right-click the branch Users OU (for example: _Branches → Houston → Users)
  2. Select Delegate Control
  3. Add the Helpdesk group
  4. Select the following tasks:
  • Reset user passwords
  • Force password change at next logon

This is one of the most common real-world delegation scenarios for helpdesk teams.

4. Move the Client Computer into the Correct Branch OU

By default, domain-joined computers are placed in the built-in Computers container.

  1. Open Active Directory Users and Computers
  2. Locate the computer account (e.g., CLIENT01)
  3. Drag the computer into _Branches → Houston → Workstations

This ensures the computer receives the correct Group Policy settings.

Why These Tasks Matter

  • They reflect real daily Active Directory work
  • They introduce delegation, policy, and structure concepts
  • They prepare you for real troubleshooting scenarios

Completion Checkpoint

  • Password policy changes are understood (even if reverted)
  • Delegation is applied to the branch Users OU
  • The client computer is placed in the correct branch OU

If you completed even one of these tasks, you’re already operating beyond beginner-level Active Directory knowledge.