Active Directory Account Lockout Policy Implementation & Help Desk Ticketing System Integration via Group Policy (GPO) on Azure VMs (DC-1, Client-1, osTicket-VM)
Project Overview
This project simulates an enterprise-level IT security and help desk management workflow by implementing an Active Directory (AD) account lockout policy using Group Policy (GPO) on Azure VMs and integrating it with an osTicket-based IT support system.
The setup consists of:
An Active Directory domain environment (DC-1 & Client-1) on Azure VMs. A Group Policy Object (GPO) enforcing account lockout after multiple failed login attempts. A separate osTicket help desk system (osticket-vm) for managing user support requests.
The workflow follows best practices in IT security and user support, ensuring that:
A user exceeds the failed login attempt limit and gets locked out.
They submit a help desk ticket via osTicket requesting account access.
An IT administrator verifies, unlocks the account, and resets the password securely.
This project demonstrates a structured IT workflow, combining Active Directory security policies with a help desk ticketing system, mirroring real-world enterprise IT operations.
Key Components of the Project
Project Goal
This project highlights critical IT administration and security best practices, including: Implementing a GPO-based account lockout policy to prevent brute-force attacks. Managing locked accounts and password resets in an Active Directory environment. Simulating an IT help desk workflow using osTicket for structured support requests. Ensuring secure authentication and IT support operations via network segmentation.
Tools & Technologies Used
Microsoft Azure – Hosts the virtual machines and network infrastructure. 
Azure Virtual Machines (VMs) – Simulates enterprise IT environments. 
Active Directory Domain Services (AD DS) – Manages users, authentication, and security policies. 
Group Policy Management Console (GPMC) – Enforces security settings via GPO. 
Virtual Network (VNet) Segmentation – Isolates authentication and IT support functions. 
osTicket Help Desk System – Provides structured IT support ticketing. 
Remote Desktop Connection (RDC) using RDP – Enables secure VM access. 
Windows PowerShell & Command Prompt – Used for administrative configurations.
Azure Virtual Machines & Network Segmentation
This project deploys a secure, enterprise IT environment in Azure, featuring two distinct Virtual Networks (VNets) to separate authentication services (Active Directory) from IT support operations (osTicket).
VNet 1: Active Directory Domain Network
This private network contains the Active Directory domain infrastructure:
DC-1 (Windows Server – Domain Controller)
- Hosts Active Directory Domain Services (AD DS).
- Manages user authentication, security policies, and account lockout settings.
- Acts as the primary DNS server for domain-joined machines.
Client-1 (Windows 10 Workstation – Domain-Joined Client)
- Manually joined to DC-1 via custom DNS configuration.
- Simulates a domain user attempting to log in, getting locked out, and requesting support.
- Communicates with DC-1 for authentication and security enforcement.
VNet 2: Help Desk Network (osTicket System)
This isolated network contains the help desk infrastructure:
osTicket-VM (Windows 10 – osTicket Help Desk System)
- Hosts the osTicket help desk software.
- Exists outside the Active Directory domain for security isolation.
- Provides an IT support portal for password reset requests.
- Uses public DNS for external web connectivity.
- .
Configuring Account Lockout Policies with Group Policy (GPO)
Before handling password resets, the IT administrator must enforce an account lockout policy to protect the domain from unauthorized access and brute-force attacks.
Steps to Implement the Account Lockout Policy
Open Group Policy Management Console (GPMC) on DC-1 (gpmc.msc). Create a new GPO named "Account Lockout Policy". Navigate to:
Modify Account Lockout Threshold:
- Set 5 failed attempts before an account is locked.
Step 2: Apply & Update Group Policy on client-1
Log into client-1 as mydomain.com\jane_admin via RDP. Open Windows Powershell and run:
This forces client-1 to apply the newly created Account Lockout Policy from DC-1.
Verify the policy update in client-1: Win+r > type in cmd > type in gpresult /r > policy update is verified
Step 3: Simulating an Account Lockout
User carin.mev attempts to log in on client-1. Enters an incorrect password 5 times. Active Directory automatically locks the account. User is unable to log in and contacts IT support via osTicket.
Step 4: User Submits a Password Reset Request in osTicket
User (carin.mev) logs into osTicket on osticket-vm and submits a request for IT assistance:
Subject: 
Account Locked – Need Immediate Assistance
Message:
“Hello IT Team, I attempted to log into my account (mydomain.com\carin.mev) and after multiple failed attempts, I am now locked out. Could you please unlock my account and reset my password? Thank you.”
Ticket is submitted and assigned to the IT Help Desk.
Step 5: IT Support Resolves the Ticket in osTicket & Unlocks the Account
IT Support Agent Assigned to the ticket (Kareem Hussein) logs into osTicket on osticket-vm. Finds the ticket submitted by carin.mev and updates the status to “In Progress.”
Logs into DC-1 via RDP to unlock the account and reset the password. Opens Active Directory Users and Computers (ADUC) (dsa.msc).
Navigates to: mydomain.com > _EMPLOYEES > carin.mev
Right-clicks carin.mev → Selects Reset Password.
Performs both actions at the same time:
- New password: TempPass123!
- Checks “Unlock Account”.
- Checks “User must change password at next logon” for security.
- Clicks Apply & OK.
Updates the osTicket ticket:
IT Support Response to carin.mev:
“Hello Carin, your account has been unlocked, and your password has been reset to a temporary password: TempPass123!.
You will be prompted to change your password upon logging in. Please try logging in again and let us know if you need further assistance. Ticket marked as resolved. Thank you!”
Ticket is marked as “Resolved” in osTicket.
Step 6: User Logs In with the New Password
User logs into client-1 with:
mydomain.com\carin.mev
Password: TempPass123!
Prompted to change password immediately. Successfully logs into the Active Directory domain with carin.mev User Account.
Final Results & Takeaways
Enterprise-Level Account Lockout Security – Enforced GPO-based lockout policies. osTicket Help Desk Integration – Managed locked accounts & password resets securely. Simulated IT Support Communication – Demonstrated real-world ticket handling workflows. Account Lockout Security Measures – Prevented brute-force attacks.
Future Enhancements: Implement Multi-Factor Authentication (MFA) for better security. Automate password reset workflows using PowerShell. Deploy Group Policy Objects (GPOs) for advanced security enforcement.
This project demonstrates enterprise IT skills in Active Directory administration, security enforcement, and IT support workflows using GPOs and osTicket Help Desk Systems.