Building a Windows Server 2022 Enterprise Lab with Active Directory, Secure Administration, and Automation
August 13, 2025 👩🏽🔬 Letisia Pangata'a
IntermediateCreating a dedicated Windows Server lab is one of the best ways to simulate real-world enterprise IT infrastructure. This guide walks you through the building of a Windows Server 2022 lab environment featuring Active Directory, secure RBAC, GPO automation, monitoring, and disaster recovery—powered by PowerShell scripting.
Project Overview
This lab demonstrates:
- Windows Server 2022 setup & domain configuration
- Active Directory Domain Services (AD DS) management
- Role-Based Access Control (RBAC) with least privilege
- Group Policy Object (GPO) automation via PowerShell
- Real-time monitoring with alerts
- Disaster recovery simulation with tested backups
Lab Architecture
Servers
- DC01 – Domain Controller & DNS
- FILE01 – File Server
- APP01 – Application Server
- MON01 – Monitoring Server
- BACKUP01 – Backup Server
Workstations
- WS01, WS02, WS03 – Windows 10/11 clients
Key Features with Real Examples
1. Automated User Provisioning
Bulk-create users and assign them to OUs with this script:
# Import required modules
Import-Module ActiveDirectory
# Function to generate secure password
function New-RandomPassword {
param([int]$Length = 12)
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*"
$password = ""
for ($i = 0; $i -lt $Length; $i++) {
$password += $chars[(Get-Random -Maximum $chars.Length)]
}
return $password
}
2. RBAC Implementation
From the included rbac-model.md:
- Domain Admins → Full control
- Helpdesk → Password resets, basic user management
- Staff → Standard user access
- IT Operations → GPO management, monitoring
- Delegated OU control for Helpdesk
- GPO editing restricted to IT Operations
3. Group Policy Automation
Automatically create and link security-focused GPOs:
function New-GPOIfNotExists {
param(
[string]$GPOName,
[string]$Comment = ""
)
try {
$ExistingGPO = Get-GPO -Name $GPOName -ErrorAction Stop
Write-Log "GPO already exists: $GPOName"
return $ExistingGPO
} catch {
Write-Log "Creating GPO: $GPOName"
return New-GPO -Name $GPOName -Comment $Comment
}
}
4. Monitoring and Alerts
From monitoring-alert.ps1:
# Function to send email alert
function Send-Alert {
param(
[string]$Subject,
[string]$Body,
[string]$Priority = "Normal"
)
Send-MailMessage -To $EmailTo -From "monitor@lab.local" `
-Subject $Subject -Body $Body -SmtpServer $SmtpServer `
-Priority $Priority
}
Paired with Task Scheduler, this script can trigger alerts for:
- Failed logons
- Privilege changes
- Service failures
5. Disaster Recovery Simulation
From disaster-recovery.md:
- Restore system state backup using Windows Server Backup.
- Perform authoritative restore if AD objects are missing.
- Validate AD replication & service health.
- Test restores quarterly & log all actions for audit.
Security Best Practices Applied
- Least Privilege RBAC
- Script-driven user management to prevent manual errors
- Centralised logging & alerting
- Regular tested backups
Getting Started with the Lab
- Set up VMs in Hyper-V, VMware, or VirtualBox
- Install Windows Server 2022 & workstations
- Configure networking (static IPs for servers, DHCP for clients)
- Deploy AD DS on DC01 (
lab.local) - Run automation scripts from
/scripts/ - Follow monitoring and DR docs in
/docs/
References
Disclaimer
This project was developed using a combination of publicly available learning resources, reference books, open source projects, and artificial intelligence tools. All efforts have been made to attribute and comply with relevant licenses. Contributions and insights from the broader open source and educational communities are gratefully acknowledged. This software is provided as-is, without warranty of any kind, express or implied. The author assumes no responsibility for any loss, damage, or disruption caused by the use of this code. It is intended for educational and experimental purposes only and may not be suitable for production environments.