Two courses. Two environments. One complete enterprise Windows stack — built from scratch, documented step by step, and verified with live screenshots. This case study covers Windows 11 workstation configuration from the client side, and Windows Server 2022 domain deployment from the server side — together they tell the full story of how a real-world enterprise network comes to life.
Every enterprise build starts the same way — a blank virtual machine. For this task, I deployed a fresh Windows 11 installation inside VMware Fusion on my MacBook, naming the machine following the lab convention: YourName-StudentID. This was my first hands-on contact with desktop virtualization for the course, and it set the foundation for everything that followed.
Getting Windows 11 to install on Fusion required downloading the ISO, creating the VM with sufficient specs, and navigating through the Setup wizard. The machine name MdRahatIslamAnik-101635860 was set during initial configuration — a detail that mattered for identification across every subsequent screenshot.
In enterprise environments, IT teams rarely configure each PC manually — they use provisioning packages to automate setup. This task required creating a .ppkg file using Windows Configuration Designer (WCD) that would automatically create a local administrator account called AnAdmin with the password P@ssw0rd and apply it to the VM.
I built the package step by step in WCD: selecting the account settings, defining credentials, exporting the .ppkg file, and then applying it to the Windows 11 VM. After application, the account appeared under local users — confirming the package deployed correctly.
Security hardening is non-negotiable in any enterprise environment. This task required configuring Local Security Policy to enforce UAC (User Account Control) behavior — specifically, ensuring that any privileged action triggers a secure credential prompt and dims the desktop (Secure Desktop mode). This prevents malware from spoofing the UAC dialog.
I accessed secpol.msc, navigated to Local Policies → Security Options, and located the UAC settings. I configured "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to prompt for credentials on the secure desktop. Screenshots captured the before/after state of each policy setting.
Note: Some screens show the taskbar without my student name visible — because the UAC configuration window covered the desktop. All work was performed on my MacBook and the taskbar style is consistent throughout the project.
Standardized Start menu and taskbar layouts are a common enterprise requirement — IT departments often deploy a locked-down layout to ensure consistency across all endpoints. This task required pinning the Microsoft News app to the Start menu, then exporting the taskbar configuration to an XML file using PowerShell.
I pinned the app through the Start menu UI, then used Export-StartLayout and related cmdlets in PowerShell to export the configuration. The resulting layout file could be deployed company-wide through Group Policy — a direct bridge to what I'd implement on the server side later.
Network configuration via PowerShell is a core sysadmin skill. Rather than using the GUI, this task required setting a static IPv4 address of 192.168.168.101/24 directly through the command line using New-NetIPAddress. This approach is scriptable, repeatable, and deployable at scale — exactly how enterprise teams manage endpoints.
I identified the correct adapter using Get-NetAdapter, removed any existing DHCP-assigned address, and applied the static configuration. Running ipconfig /all after confirmed the address was correctly assigned to the adapter.
Storage Spaces is Windows' software-defined storage solution — it pools physical disks into resilient volumes. A 2-way mirror writes data to two disks simultaneously, providing fault tolerance if one drive fails. This task required creating a Storage Pool from available virtual disks, then creating a 2-way mirror virtual disk on top of it.
I navigated to Server Manager → File and Storage Services → Storage Pools, added the available disks to a pool, and created the mirrored virtual disk. The resulting volume was mounted and ready for use — setting up the foundation for the file sharing tasks that followed.
With the storage pool created, the next step was creating the File Share folder on the new volume — this would serve as the shared network resource for the next task. Placing it on the mirrored storage space ensures any data stored here has redundancy built in.
File sharing permissions in Windows are a two-layer system: Share permissions control network access at the share level, while NTFS permissions control access at the file system level. The effective permissions are the most restrictive of the two. This task required sharing the File Share folder with specific user access levels — read vs. read/write — matching a permission matrix defined in the course.
I right-clicked the folder, set up sharing through Advanced Sharing, configured the share permissions, then drilled into Security to set NTFS permissions. Each user/group was assigned the correct permission level and verified by reviewing the access control list.
Application deployment from the Microsoft Store is a standard workflow in modern endpoint management. This task required installing Microsoft Whiteboard from the Store — simulating how IT might push a collaboration app to a managed workstation. Post-install verification confirmed the app launched correctly and was visible in the Start menu.
File History is Windows' built-in backup and versioning solution — it automatically saves copies of files to a designated drive, allowing recovery of older versions. This task required configuring it to keep historical copies for 30 days, pointed at the storage space volume created earlier.
Note to evaluator: For this task, I was on my Mac just like all other tasks. The File History configuration steps were completed within the VMware environment — some screens may vary slightly due to virtualization layer differences with storage device detection.
The first challenge wasn't the server — it was the hardware. Building Windows Server 2022 on an Apple Silicon MacBook Air required using UTM, a virtualization platform for macOS that supports both ARM and x86 emulation. I created the primary Domain Controller VM (CLCT4003-1DC-MdRahatIslamAnik) with 4 vCPUs, 8GB RAM, and 64GB storage in x86_64 mode, then installed Windows Server 2022 Datacenter Evaluation (Desktop Experience) for full GUI access.
VM Specs — SRV01 (Domain Controller): 4 vCPUs · 8 GB RAM · 64 GB storage · x86_64 architecture · Windows Server 2022 Datacenter Evaluation (Desktop Experience)
This was the moment the server transformed from a standalone box into the authority of an enterprise domain. I installed the AD DS role through Server Manager's Add Roles and Features Wizard, selected CLCT4003-1DC-MdRahatIslamAnik as the target, and began the promotion process. Choosing "Add a new forest" created the root domain: anik.local.
The promotion wizard walked through DNS integration, Global Catalog designation, DSRM password creation, and confirmed the NetBIOS name ANIK. The wizard auto-generated a PowerShell deployment script — proof the configuration could be repeated and automated. After the final prerequisites check passed (with the expected DNS delegation warning in an isolated lab), the server rebooted and came back online as ANIK\Administrator — the domain controller of anik.local was live.
With the domain running, the next critical service was DHCP — the mechanism by which every client gets an IP address, gateway, and DNS server automatically. I installed the DHCP Server role on SRV01, first assigning a static IPv4 address to the server (192.168.6.10/24) to ensure DHCP and DNS services were anchored to a fixed address.
I created multiple scopes to simulate a multi-site enterprise network with offices in Toronto and Montreal. Each scope was configured with the correct subnet, IP range, exclusions, and scope options (Router 003, DNS Server 006, DNS Domain Name 015). A DHCP reservation for SRV02 ensured it would always receive the same IP regardless of lease renewal.
Scopes created: 10.10.10.0 Toronto Lab · 10.10.20.0 Toronto Office · 10.10.30.0 Montreal Lab · 10.10.40.0 Montreal Office · 192.168.6.0 CLCT4003-SCOPE (primary lab)
A single-server domain is a lab — an enterprise network needs member servers. I deployed a second Windows Server 2022 VM, CLCT4003-SRV02-MdRahatIslamAnik, destined to serve as the File Server and GPO Management node. The process mirrored SRV01's installation: create the UTM VM, install Windows Server 2022 Datacenter, set a local administrator password, rename the machine, and then complete the domain join to anik.local.
Joining the domain required pointing SRV02's DNS to the domain controller at 192.168.1.10, entering domain credentials, and confirming the "Welcome to the anik.local domain" message. A static IP (192.168.1.12) and DHCP reservation were then configured, and MAC address 7A-1C-33-A3-08-8B was logged for the reservation record.
Active Directory's power comes from organization. I opened Active Directory Users and Computers (ADUC) on the domain controller and built a full OU hierarchy under anik.local: Toronto, Montreal, Servers, Workstations, Groups, and Users — mirroring how a real enterprise organizes its directory structure by geography and function.
Inside each location OU, I created user accounts with proper UPN suffixes (toronto.user@anik.local, montreal.user@anik.local), enforced password-change-at-next-logon policies, and built Global Security Groups — Toronto-Users and Montreal-Users — adding each user to their respective group. This group structure would directly drive NTFS permissions and GPO filtering later.
Group Policy is the central nervous system of Windows domain management. I configured two GPOs: a user lockdown policy targeting the Toronto OU that restricted Start menu personalization, and a domain-wide password policy enforcing complexity, minimum length, history, and account lockout.
I opened the Group Policy Management Console (GPMC), created TOR-UserLockdown-GPO and linked it to the Toronto → Computers OU. Inside the policy editor, I navigated to Administrative Templates → Personalization and enabled the restriction on changing the Start menu background. For the password policy, I modified the Default Domain Policy: minimum length of 7, complexity enabled, maximum age of 42 days, and account lockout after 5 failed attempts with a 15-minute duration.
After applying changes with gpupdate /force on the domain controller, I ran gpresult /r on the workstation to confirm both GPOs were received and applied. I then deliberately triggered the account lockout by entering wrong credentials repeatedly — proving the lockout policy was enforced in real time.
File sharing in a domain environment brings together everything built so far: users, groups, permissions, and the servers. I created a CompanyShare folder on the domain controller under C:\, shared it over the network, and set up the permission matrix: Toronto-Users received Read access at the share level and Modify at the NTFS level; Montreal-Users received Change access at share and Modify at NTFS. Administrators retained Full Control.
From the workstation, I mapped Drive Z: using the montreal.user account — and then tested that Montreal could read files but not create or modify them, verifying the permissions were applied exactly as designed.
DNS is the backbone of an Active Directory domain — without it, nothing resolves. I opened DNS Manager on the domain controller, reviewed the server's network interface bindings, and configured an external DNS forwarder (Google DNS 8.8.8.8) to handle queries outside the anik.local namespace.
External forwarder validation failed in nslookup — this was expected and correct. UTM on Apple Silicon uses NAT-only networking, meaning the domain controller cannot reach external DNS servers directly (traffic is routed through the macOS host). This is a platform limitation, not a DNS misconfiguration. The forwarder settings are correctly configured for the lab environment.
The final proof of a working domain is the workstation. I configured the Windows 11 VM (GB-WS-01-ANIK) with DNS pointing to 192.168.10.10 (the domain controller), verified a successful ping to the DC, and ran nslookup to confirm name resolution. The domain join prompt required domain admin credentials — and returned the "Welcome to the anik.local domain" confirmation.
Post-join, the workstation received its DHCP-assigned IP, applied both computer and user GPOs (confirmed via gpresult /r), and successfully connected to the CompanyShare folder. Every service built throughout this case study — DHCP, DNS, AD DS, GPO, file sharing — was verified to be working end-to-end from a domain-joined client.
These two case studies weren't just coursework — they were a complete walkthrough of the enterprise Windows stack from both ends. On the client side, I learned how IT teams provision, harden, and manage endpoints at scale. On the server side, I built the infrastructure those endpoints connect to.
Working within hardware constraints — Apple Silicon, UTM's NAT networking — forced me to understand why configurations are done the way they are, not just how to click through wizards. Every limitation I documented taught me something a lab manual couldn't.
The skills demonstrated here aren't academic — they're the foundation of real systems administration work: AD DS, DHCP, GPO, NTFS permissions, PowerShell, Storage Spaces, provisioning packages. This is what enterprise Windows looks like before the cloud takes over — and understanding it makes every cloud migration conversation richer.
Forest creation, DC promotion, OU hierarchy, user/group administration, ADUC
DHCP multi-scope design, static IP assignment, DNS configuration, forwarders
GPO creation, linking, Administrative Templates, password policy, lockout simulation
Storage Spaces 2-way mirror, CompanyShare, NTFS + share permission layering
Windows 11 deployment, provisioning packages, local security policy, File History
Static IP assignment, gpupdate /force, Export-StartLayout, verification commands