NBA Active Directory IAM Project

A full Identity & Access Management (IAM) simulation using Microsoft Active Directory to model identity governance for an NBA organization.

Environment Overview

Domain: nba.local
Domain Controller: DC01
File Server: FS01
Application Server: APP01
OS: Windows Server 2022

Active Directory Architecture

Players
Coaches
Analytics
Medical
FrontOffice
IT
PrivilegedRoles
DisabledUsers

RBAC & Access Controls

GRP_Players: Player portal
GRP_Coaches: Playbooks
GRP_Analytics: Dashboards
GRP_Medical: PHI
GRP_FrontOffice: Contracts
GRP_ITAdmins: Admin privileges

Windows GUI Mockups (Windows Server 2022 – ADUC Style)

These panels visually represent the AD structure, RBAC model, GPO enforcement, NTFS permissions, automation, and auditing implemented in this project.

Active Directory OU Structure

Active Directory Users and Computers

nba.local ├── Players ├── Coaches ├── Analytics ├── Medical ├── FrontOffice ├── IT ├── PrivilegedRoles └── DisabledUsers

Security Groups (RBAC)

Active Directory – Security Groups

GRP_Players Global Security Group GRP_Coaches Global Security Group GRP_Analytics Global Security Group GRP_Medical Global Security Group GRP_FrontOffice Global Security Group GRP_ITAdmins Global Security Group GRP_Helpdesk Global Security Group

Group Policy Management

Group Policy Management Console

NBA-Password-Policy • Minimum length: 14 • Password history: 24 • Max age: 90 days • Complexity: Enabled NBA-BitLocker-Policy • Require TPM • XTS-AES 256 NBA-MFA-Admins • Require MFA for Tier 0/1 NBA-Disable-USB • Removable storage: Blocked NBA-Hardening • SMB Signing Required • Disable unsigned PowerShell scripts

File Server NTFS Permissions

FS01 – NTFS Permissions

\\FS01\Coaches • Coaches Group → Modify • IT Admins → Full Control \\FS01\Analytics • Analytics Group → Modify • IT Admins → Full Control \\FS01\Medical • Medical Group → Full Control • IT Admins → Full Control \\FS01\Players • Players Group → Read \\FS01\Shared • Authenticated Users → Read

PowerShell Automation

Windows PowerShell

PS C:\Scripts> .\New-NBAUser.ps1 -Name "John Doe" -Role "Analytics" [+] Creating AD account... [+] Assigning security groups: GRP_Analytics [+] Creating home directory: \\FS01\Users\jdoe [+] Applying baseline GPO [✓] User creation complete. PS C:\Scripts> .\Update-NBAUserRole.ps1 -User jdoe -NewRole "Coaches" [+] Removing old groups... [+] Adding new groups: GRP_Coaches [+] Updating permissions... [✓] Role update complete. PS C:\Scripts> .\Disable-NBAUser.ps1 -User jdoe [+] Disabling account... [+] Revoking sessions... [+] Archiving home directory... [+] Moving to DisabledUsers OU [✓] Offboarding complete.

Privileged Access Model

Tier 0 – Domain Admins • Full domain control • Protected accounts Tier 1 – Server Admins • Manage FS01, APP01, DC01 • No domain-wide rights Tier 2 – Helpdesk • Password resets • Basic user support JIT Elevation • Temporary membership in GRP_ITAdmins • Approval required

Auditing Dashboard

Security Monitoring Dashboard

Recent Events • 12 Logon failures (Players OU) • 3 Group membership changes (Analytics) • 1 GPO modification (NBA-Password-Policy) • 5 File access alerts (Medical folder) Privileged Activity • 2 JIT elevation requests • 1 Domain Admin logon Compliance Status • BitLocker: 100% • MFA for Admins: Enabled • Password Policy: Enforced

Outcome

This project demonstrates practical IAM engineering skills including identity governance, least‑privilege enforcement, privileged access management, lifecycle automation, and enterprise-grade security controls.

← Back to IAM Projects