Windows Infrastructure & Active Directory Management

Environment Overview

Component	Detail
Organization	Multi-site manufacturing company, 4 locations (anonymized)
User base	~100 users — office staff, production floor, management
Infrastructure	On-premises Windows Server + Microsoft 365 hybrid deployment
Role	Sole IT administrator — System Administrator → IT Manager
Responsibility scope	Full infrastructure stack: servers, AD, M365, networking, endpoints, backup, vendors

Active Directory Administration

Inherited an Active Directory environment with minimal documentation, inconsistent OU structure, and several legacy configurations carried forward from a previous IT provider. The environment was functional but not well-governed — stale user accounts, no standardized naming conventions, and Group Policy applied inconsistently across sites.

OU Structure & Account Management

Redesigned OU structure to reflect actual organizational hierarchy — department-based OUs for targeted GPO application
Audited all user accounts — disabled and eventually removed 23 stale accounts (terminated employees, vendors, temp staff) that retained active credentials
Implemented standardized naming convention for user accounts, computer accounts, and security groups
Created and maintained security groups for resource access — file share permissions, printer access, application licensing groups
Documented the full AD schema including all GPO linkages, security group memberships, and delegation assignments

Group Policy

Audited and rebuilt Group Policy to address security gaps and standardize desktop configurations across 4 sites:

GPO	Purpose	Scope
Security Baseline	Password complexity (12+ chars), account lockout after 5 failures, screen lock after 10 min inactivity	All domain-joined machines
Software Restriction	Block execution from user-writable paths (%AppData%, %Temp%) — mitigate macro malware and drive-by execution	Workstations (excluding dev machines)
Windows Firewall	Enforce Windows Defender Firewall on; block inbound connections except explicitly managed rules	All workstations
Windows Update	WSUS-directed updates, automatic install during maintenance window (2am Sun), defer feature updates 30 days	All domain-joined machines
Drive Mapping	Map departmental file shares at logon by OU membership — automated, no manual drive mapping required	All users
Printer Deployment	Deploy site-specific printers by OU — production floor, office, and management printers deployed silently	By site/department OU
BitLocker	Enforce BitLocker encryption on all laptops and portable workstations; store recovery keys in AD	Laptop OU

Windows Server Management

Server Infrastructure

Server Role	Configuration
Domain Controller (Primary)	Windows Server 2019 — AD DS, DNS, DHCP for primary site
Domain Controller (Secondary)	Windows Server 2019 — AD replication, DNS failover, DHCP failover cluster
File Server	Windows Server 2019 — departmental shares with NTFS + share-level permissions; DFS namespace for consistent UNC paths across sites
Print Server	Centralized print queue management; print driver deployment via GPO
WSUS Server	Windows Server Update Services — centralized patch management for all domain-joined machines

Server Maintenance & Patching

Monthly patch cycle: approve Patch Tuesday updates in WSUS → push to test group (IT machines) → monitor for 48hrs → approve for production deployment
Quarterly Windows Server patch cycle during planned production maintenance windows
Patch compliance tracking: achieved 95%+ 30-day patch compliance across all managed endpoints
Critical vulnerability patches (zero-day) fast-tracked outside normal cycle with same-day or next-business-day deployment

Microsoft 365 & Entra ID Administration

Managed the Microsoft 365 tenant alongside on-premises AD, maintaining hybrid identity with Entra ID Connect (Azure AD Connect) synchronization.

License management: Assigned and tracked M365 Business Premium licenses; reclaimed licenses from inactive accounts; saved ~$2,400/year in license waste identified during quarterly audit
Exchange Online: Managed mailboxes, shared mailboxes, distribution groups, mail flow rules; handled delivery issues and spam rule maintenance
SharePoint/OneDrive: Managed site permissions and storage quotas; migrated departmental file shares to SharePoint Online (project data and management-layer documents)
Teams administration: Managed team creation governance, external access policies, guest user lifecycle
MFA rollout: Planned and executed MFA enforcement campaign — from 40% voluntary enrollment to 100% enforced via Conditional Access
Intune MDM: Enrolled all corporate laptops; deployed compliance policy (BitLocker, AV, patch level); enforced via Conditional Access

Backup & Disaster Recovery

System	Configuration
Server backup	Nightly full backup of all servers to local NAS; weekly off-site rotation via Datto BCDR appliance — immutable backup with 1-year retention
Workstation backup	OneDrive known folder move — Desktop, Documents, Pictures synced to M365 for all users; no local-only data risk
Recovery testing	Quarterly bare-metal restore test on isolated network; documented RTO/RPO: <4 hours for file server, <8 hours for domain controller
AD backup	System State backup of both DCs nightly; AD recycle bin enabled for accidental deletion recovery

Vendor & Ticket Management

Managed all IT vendor relationships and served as the single point of contact for internal IT support:

Averaged 30 support tickets/week across all sites — hardware failures, account issues, application support, network troubleshooting
Managed ISP relationships for 4 sites — coordinated circuit upgrades, outage escalations, and SLA enforcement
Coordinated hardware procurement: standardized workstation spec across all sites, managed warranty claims and replacement logistics
Vendor management: SentinelOne, Fortinet, Microsoft, Datto, Ubiquiti

Key Achievements

Achievement	Detail
Patch compliance	95%+ endpoints within 30-day SLA — up from ~50% inherited baseline
License savings	~$2,400/year recovered from stale M365 license audit
AD hygiene	23 stale accounts disabled/removed; OU structure rebuilt with full documentation
Infrastructure uptime	99.8% availability across all 4 sites over 12-month period
MFA coverage	0% → 100% enforced MFA across all M365 users
Backup coverage	All servers and workstations covered; quarterly restore tests passed

Tools & Platforms

Windows Server 2019

Active Directory

Group Policy

WSUS

Microsoft 365

Entra ID (Azure AD)

Entra ID Connect

Exchange Online

SharePoint Online

Microsoft Intune

Datto BCDR

Datto RMM

PowerShell

DFS

Windows InfrastructureActive Directory & Server Management

Environment Overview

Active Directory Administration

OU Structure & Account Management

Group Policy

Windows Server Management

Server Infrastructure

Server Maintenance & Patching

Microsoft 365 & Entra ID Administration

Backup & Disaster Recovery

Vendor & Ticket Management

Key Achievements

Tools & Platforms

Windows Infrastructure
Active Directory & Server Management