Windows Server What can Active Directory Do?

[Ian]

I'm very unfamiliar with the AD side of Windows Server, other than as a user authentication and management tool. I was considering rolling it out on our home network, so that I can log on to any PC or Laptop with the same credentials (as our NAS can join the domain).

I've had a good read up about Active Directory, Domain Controllers, etc... but I can't find much info beyond the actual structure of it. If I rolled it out on our network, could I roll out app installation across the network (I'm thinking if I provision a new PC, can I auto-install stuff).

Are there any benefits to backup management and file synchronising? For example, can I sync desktop shortcuts across every PC I log on to?

I'd really appreciate any thoughts from those more familiar with AD . There's only so much I can glean from Googling.

 

[Silverhazesurfer]

Group policy is awesome. You can configure and secure a system to however you want it to be. It has been some time since I played with a full AD installation. I am getting ready to promote my server at the office to a PDC for my office domain. This is new for everyone there so it should be fun to experiment since it has no real bearing on how we function yet.

Remember a few years ago when I was around here asking questions about USB discovery? These were some of my earliest posts. I received quite a few responses such as "don't do it" "that's not how this works." In the end, I was working on securing Windows XP boxes that reported back to a generic server OS to transmit money values for a small "grey market" gaming company. Group Policy Editor allows you control over every aspect of a system when it authenticates to the primary domain controller.

What Server OS are you planning to implement? I run Server 2012 R2 on my tinker box at the shop.

Edit: Group Policy Editor comes with every installation of Windows. In AD, you can manage how permissions affect Group Policy. Joining a workstation to a domain will cause the domain GP to overrule the local GP. Whenever you log on to a machine, your domain GP will be in effect.

https://technet.microsoft.com/en-us/library/hh147307(v=ws.10).aspx

 

[Silverhazesurfer]

I found this and figured I would post it here so I could review later. A quick skim suggests that this may be what I need to freshen up my skills.

Simple Guide : Implementing Group Policy in Windows Server 2012 R2
https://mizitechinfo.wordpress.com/...nting-group-policy-in-windows-server-2012-r2/

Simple Guide : Creating & Configure GPO in Windows Server 2012 R2 – Part 2
https://mizitechinfo.wordpress.com/...nfigure-gpo-in-windows-server-2012-r2-part-2/

 

[Ian]

Thanks @Silverhazesurfer - I'd be looking to add around 6 Windows 10 PCs to the domain, perhaps on a server running Windows Server 2016... but my NAS has a Domain Controller option, so I was tempted to use that.

What I'm ideally after is a way to do the following:

• Manage Group Policy settings to disable Cortana, etc... - basically use to customise the machines how I like them.
• Deploy software packages on new and existing systems, so if I format the machine it'll install common things like Notepad++, FileZilla, etc... Ninite works well for this at the moment, but it would be nice to have a homebrew version.
• Control access to the NAS shares automatically (it has AD integration).
• Integrate O365 accounts, so the auth details are rolled out to accounts automatically.
• Profile roaming, so if I log on from my laptop or desktop, I still have the same documents/favorites/etc... in place. Even if connecting via VPN.

I've kicked the tinkering with AD in to the long grass for now, but I do intend to re-visit it one day .

 

[Silverhazesurfer]

Which NAS do you have?

Cortana - Group Policy should be able to be run on the AD profile setup for the user.
http://www.thewindowsclub.com/disable-turn-off-cortana-windows-10

Software installation via GP
https://technet.microsoft.com/en-us/library/cc753792(v=ws.11).aspx

Managing Folder Permissions - Basically the same as any permission. Set user, set permissions at the folder level. Permissions are inheritable and are dependent on the group to which the user belongs in AD. If the user has Admin creds, then it doesn't really matter what you set for a folder permission. If an admin can access it, then the user can as well.
https://msdn.microsoft.com/en-us/library/bb727008.aspx

O365 Details here. Honestly, I would have to have a setup to play with while looking at some of this information. I don't play with this in any facet and I am seriously uneducated in the application. I don't really like cloud applications or cloud-reliant data management. What happens when I, or my users, cannot access any information when the Internet is down? Nobody can work and I don't like that much wasted payroll.
https://support.office.com/en-us/ar...irectory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9

Apparently, there was a recent update to the roaming profiles options within Windows...3 days ago.
https://technet.microsoft.com/en-us/library/jj649079(v=ws.11).aspx

 

[Ian]

It's the QNAP TVS-873 - running the latest QTS.

Thanks for the info, I'll start setting up a few VMs on the NAS and get a working AD setup there before rolling anything out. Profile roaming looks like a fun place to start, as that's the thing I'd most like to use.

 

[Ian]

I've just set up the AD server on the NAS, along with two W10 VM's. I've got them both joined to the domain and roaming profiles works, but I need to test how it copes with several profiles logged on at the same time (and see what it does with syncing files).

Just testing depoying 7ZIP via MSI at the moment.