{"id":4670,"date":"2025-09-16T20:00:00","date_gmt":"2025-09-17T00:00:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4670"},"modified":"2025-09-18T13:58:14","modified_gmt":"2025-09-18T17:58:14","slug":"active-directory-lab-build-script","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4670","title":{"rendered":"Active Directory Lab Build Script"},"content":{"rendered":"\n<p>Over the summer, I rebuilt my Active Directory lab environment with multiple regional domains. Instead of manually configuring common issues, I decided to create a PowerShell script to do this for me.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"405\" height=\"164\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/G0598C_XQAAxV04-1.png\" alt=\"\" class=\"wp-image-4674\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/G0598C_XQAAxV04-1.png 405w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/G0598C_XQAAxV04-1-300x121.png 300w\" sizes=\"auto, (max-width: 405px) 100vw, 405px\" \/><\/figure>\n\n\n\n<!--more-->\n\n\n\n<p>My <strong>Invoke-ADLabBuildOut<\/strong> script does the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create Top Level OUs<\/li>\n\n\n\n<li>Create Branch Office OUs<\/li>\n\n\n\n<li>Rename Default Domain Admin Account<\/li>\n\n\n\n<li>Create AD Lab Users<\/li>\n\n\n\n<li>Create AD Lab Groups<\/li>\n\n\n\n<li>Create AD Lab Service Accounts<\/li>\n\n\n\n<li>Create AD Lab Admin Accounts<\/li>\n\n\n\n<li>Create AD Lab Group Managed Service Accounts<\/li>\n\n\n\n<li>Create AD Lab Windows Workstations<\/li>\n\n\n\n<li>Create AD Lab Windows Servers<\/li>\n\n\n\n<li>Create AD Lab Computers<\/li>\n\n\n\n<li>Create AD Lab Fine Grained Password Policies<\/li>\n\n\n\n<li>Set SPN on Default Domain Admin Account<\/li>\n\n\n\n<li>Randomize Admin Account Membership in Admin Groups<\/li>\n\n\n\n<li>Randomize Service Account Membership in Admin Groups<\/li>\n\n\n\n<li>Add Password To Random User AD Attribute<\/li>\n\n\n\n<li>Add Kerberos Delegation<\/li>\n\n\n\n<li>Add Computer Accounts to Admin Groups<\/li>\n\n\n\n<li>Set OUs With Blocked GPO Inheritance Invoke-ADLabBuildOut<br><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"856\" height=\"1018\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/G06GA6tXwAAFY5y-1.png\" alt=\"\" class=\"wp-image-4677\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/G06GA6tXwAAFY5y-1.png 856w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/G06GA6tXwAAFY5y-1-252x300.png 252w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/G06GA6tXwAAFY5y-1-768x913.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/09\/G06GA6tXwAAFY5y-1-823x979.png 823w\" sizes=\"auto, (max-width: 856px) 100vw, 856px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><br>PowerShell AD lab build out script leveraging the Active Directory PowerShell module:<br><a href=\"https:\/\/github.com\/PyroTek3\/ADLab\">https:\/\/github.com\/PyroTek3\/ADLab<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over the summer, I rebuilt my Active Directory lab environment with multiple regional domains. Instead of manually configuring common issues, I decided to create a PowerShell script to do this for me.<\/p><p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=4670\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,7],"tags":[20,1495,1494,1496,575],"class_list":["post-4670","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-powershell","tag-activedirectory","tag-activedirectorylab","tag-adlab","tag-adlabbuild","tag-powershell","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4670","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4670"}],"version-history":[{"count":6,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4670\/revisions"}],"predecessor-version":[{"id":4697,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4670\/revisions\/4697"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4670"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4670"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}