User anlegen dc: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „ <pre> # === AD-Lab Setup + Kerberos-Audit-GPO (Windows Server 2022 / Domäne lab.int) === # Als Domain Admin auf dem DC ausführen. Import-Module ActiveDirec…“) |
|||
| Zeile 1: | Zeile 1: | ||
| − | |||
<pre> | <pre> | ||
| − | # === AD-Lab Setup + Kerberos-Audit-GPO ( | + | # ============================================ |
| − | + | # AD-Lab Setup + Kerberos-Audit-GPO (Server 2022) | |
| + | # Domäne: lab.int Passwort: 123Start$ | ||
| + | # ============================================ | ||
| + | $ErrorActionPreference = 'Stop' | ||
Import-Module ActiveDirectory | Import-Module ActiveDirectory | ||
Import-Module GroupPolicy | Import-Module GroupPolicy | ||
| − | $Domain | + | # --- Basis --- |
| − | $DomainDN | + | $Domain = Get-ADDomain |
| − | $Pwd | + | $DomainDN = $Domain.DistinguishedName |
| + | $Pwd = ConvertTo-SecureString '123Start$' -AsPlainText -Force | ||
| − | Write-Host " | + | Write-Host "1) OUs anlegen ..." -ForegroundColor Cyan |
$ous = "Admins","Users","Servers","Workstations","Service Accounts" | $ous = "Admins","Users","Servers","Workstations","Service Accounts" | ||
foreach ($ou in $ous) { | foreach ($ou in $ous) { | ||
| Zeile 19: | Zeile 22: | ||
} | } | ||
| − | Write-Host " | + | Write-Host "2) Gruppen anlegen ..." -ForegroundColor Cyan |
| + | # Gruppen unter OU=Users (rein fürs Lab) | ||
$groups = @( | $groups = @( | ||
| − | @{ Name="Share-Readers"; | + | @{ Name="Share-Readers"; Scope="Global"; Path="OU=Users,$DomainDN" }, |
| − | @{ Name="Share-Contributors"; | + | @{ Name="Share-Contributors"; Scope="Global"; Path="OU=Users,$DomainDN" } |
) | ) | ||
foreach ($g in $groups) { | foreach ($g in $groups) { | ||
| Zeile 30: | Zeile 34: | ||
} | } | ||
| − | Write-Host " | + | Write-Host "3) Standard-User (OU=Users) ..." -ForegroundColor Cyan |
$users = @("alice","bob","charlie") | $users = @("alice","bob","charlie") | ||
foreach ($u in $users) { | foreach ($u in $users) { | ||
| Zeile 39: | Zeile 43: | ||
} | } | ||
| − | Write-Host " | + | Write-Host "4) Admin-User (OU=Admins) + Rechte ..." -ForegroundColor Cyan |
| − | if (-not (Get-ADUser -Filter "sAMAccountName -eq ' | + | $admins = @("helpdesk1","itadmin") |
| − | + | foreach ($a in $admins) { | |
| − | + | if (-not (Get-ADUser -Filter "sAMAccountName -eq '$a'" -ErrorAction SilentlyContinue)) { | |
| + | New-ADUser -Name $a -SamAccountName $a -Path "OU=Admins,$DomainDN" ` | ||
| + | -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null | ||
| + | } | ||
} | } | ||
| − | + | # Exakte DN der Builtin/Users-Gruppen verwenden (robust in allen Sprachen) | |
| − | + | $dnDomainAdmins = "CN=Domain Admins,CN=Users,$DomainDN" | |
| − | + | $dnServerOps = "CN=Server Operators,CN=Builtin,$DomainDN" | |
| − | + | $dnAdminsBU = "CN=Administrators,CN=Builtin,$DomainDN" | |
| − | + | Try { Add-ADGroupMember -Identity $dnDomainAdmins -Members "helpdesk1" } Catch {} | |
| − | Try { Add-ADGroupMember -Identity | + | Try { Add-ADGroupMember -Identity $dnServerOps -Members "itadmin" } Catch {} |
| − | Try { Add-ADGroupMember -Identity | + | Try { Add-ADGroupMember -Identity $dnAdminsBU -Members "itadmin" } Catch {} |
| − | Try { Add-ADGroupMember -Identity | ||
| − | Write-Host " | + | Write-Host "5) Service-Account + SPN ..." -ForegroundColor Cyan |
if (-not (Get-ADUser -Filter "sAMAccountName -eq 'svc_web'" -ErrorAction SilentlyContinue)) { | if (-not (Get-ADUser -Filter "sAMAccountName -eq 'svc_web'" -ErrorAction SilentlyContinue)) { | ||
New-ADUser -Name "svc_web" -SamAccountName "svc_web" -Path "OU=Service Accounts,$DomainDN" ` | New-ADUser -Name "svc_web" -SamAccountName "svc_web" -Path "OU=Service Accounts,$DomainDN" ` | ||
-AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null | -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null | ||
} | } | ||
| − | # | + | # <<< Falls dein Member-Server anders heißt, DIESEN Namen anpassen >>> |
| − | + | & setspn.exe -S HTTP/member.lab.int svc_web | Out-Null | |
| − | Write-Host " | + | Write-Host "6) Share-Gruppen befüllen ..." -ForegroundColor Cyan |
| − | Try { Add-ADGroupMember -Identity "Share-Readers" -Members "alice","charlie" | + | Try { Add-ADGroupMember -Identity "Share-Readers" -Members "alice","charlie" } Catch {} |
| − | Try { Add-ADGroupMember -Identity "Share-Contributors" -Members "bob" | + | Try { Add-ADGroupMember -Identity "Share-Contributors" -Members "bob" } Catch {} |
| − | Write-Host " | + | Write-Host "7) Kerberos-Audit-GPO erstellen + verlinken ..." -ForegroundColor Cyan |
$gpoName = "LAB Kerberos Auditing" | $gpoName = "LAB Kerberos Auditing" | ||
$gpo = Get-GPO -Name $gpoName -ErrorAction SilentlyContinue | $gpo = Get-GPO -Name $gpoName -ErrorAction SilentlyContinue | ||
if (-not $gpo) { $gpo = New-GPO -Name $gpoName } | if (-not $gpo) { $gpo = New-GPO -Name $gpoName } | ||
| − | # | + | # Direkt auf die Domäne verlinken (erzwingen) |
| − | + | New-GPLink -Name $gpo.DisplayName -Target $DomainDN -Enforced Yes -LinkEnabled Yes | Out-Null | |
| − | |||
| − | |||
| − | |||
| − | # Advanced Audit Policy | + | # Advanced Audit Policy (4768/4769/4624/4672) |
| − | # | + | # HKLM\Software\Policies\Microsoft\Windows\Audit (DWORD: 1=Success, 2=Failure, 3=Both) |
$AuditKey = "HKLM\Software\Policies\Microsoft\Windows\Audit" | $AuditKey = "HKLM\Software\Policies\Microsoft\Windows\Audit" | ||
$policies = @( | $policies = @( | ||
| − | @{Name="AuditKerberosAuthenticationService"; Value=3}, | + | @{Name="AuditKerberosAuthenticationService"; Value=3}, # 4768 |
| − | @{Name="AuditKerberosServiceTicketOperations"; Value=3}, # 4769 | + | @{Name="AuditKerberosServiceTicketOperations"; Value=3}, # 4769 |
| − | @{Name="AuditLogon"; Value=1}, | + | @{Name="AuditLogon"; Value=1}, # 4624 (Success) |
| − | @{Name="AuditSpecialLogon"; Value=1} | + | @{Name="AuditSpecialLogon"; Value=1} # 4672 (Success) |
) | ) | ||
foreach ($p in $policies) { | foreach ($p in $policies) { | ||
| Zeile 89: | Zeile 92: | ||
} | } | ||
| − | # Security-Log größer | + | # Security-Log größer + überschreiben (Lab) |
| − | # | + | # HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security |
$EventLogKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" | $EventLogKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security" | ||
| − | Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "MaxSize" | + | Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "MaxSize" -Type DWord -Value 131072 # 128 MB (KB) |
| − | Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "Retention" -Type DWord -Value 0 | + | Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "Retention" -Type DWord -Value 0 # Overwrite as needed |
| − | Write-Host " | + | Write-Host "8) GPUpdate auf dem DC ..." -ForegroundColor Cyan |
gpupdate /force | Out-Null | gpupdate /force | Out-Null | ||
| − | Write-Host "` | + | Write-Host "`n✅ Fertig. OUs, User, Gruppen, SPN und Kerberos-Audit-GPO sind eingerichtet." -ForegroundColor Green |
| − | Write-Host " | + | Write-Host " Auf Member/Client nach Domain-Join: gpupdate /force (oder 10–20 Min. warten)." -ForegroundColor Yellow |
| + | |||
| + | |||
</pre> | </pre> | ||
Version vom 12. August 2025, 16:51 Uhr
# ============================================
# AD-Lab Setup + Kerberos-Audit-GPO (Server 2022)
# Domäne: lab.int Passwort: 123Start$
# ============================================
$ErrorActionPreference = 'Stop'
Import-Module ActiveDirectory
Import-Module GroupPolicy
# --- Basis ---
$Domain = Get-ADDomain
$DomainDN = $Domain.DistinguishedName
$Pwd = ConvertTo-SecureString '123Start$' -AsPlainText -Force
Write-Host "1) OUs anlegen ..." -ForegroundColor Cyan
$ous = "Admins","Users","Servers","Workstations","Service Accounts"
foreach ($ou in $ous) {
if (-not (Get-ADOrganizationalUnit -LDAPFilter "(ou=$ou)" -SearchBase $DomainDN -ErrorAction SilentlyContinue)) {
New-ADOrganizationalUnit -Name $ou -Path $DomainDN -ProtectedFromAccidentalDeletion:$false | Out-Null
}
}
Write-Host "2) Gruppen anlegen ..." -ForegroundColor Cyan
# Gruppen unter OU=Users (rein fürs Lab)
$groups = @(
@{ Name="Share-Readers"; Scope="Global"; Path="OU=Users,$DomainDN" },
@{ Name="Share-Contributors"; Scope="Global"; Path="OU=Users,$DomainDN" }
)
foreach ($g in $groups) {
if (-not (Get-ADGroup -LDAPFilter "(cn=$($g.Name))" -SearchBase $DomainDN -ErrorAction SilentlyContinue)) {
New-ADGroup -Name $g.Name -GroupScope $g.Scope -GroupCategory Security -Path $g.Path | Out-Null
}
}
Write-Host "3) Standard-User (OU=Users) ..." -ForegroundColor Cyan
$users = @("alice","bob","charlie")
foreach ($u in $users) {
if (-not (Get-ADUser -Filter "sAMAccountName -eq '$u'" -ErrorAction SilentlyContinue)) {
New-ADUser -Name $u -SamAccountName $u -Path "OU=Users,$DomainDN" `
-AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
}
}
Write-Host "4) Admin-User (OU=Admins) + Rechte ..." -ForegroundColor Cyan
$admins = @("helpdesk1","itadmin")
foreach ($a in $admins) {
if (-not (Get-ADUser -Filter "sAMAccountName -eq '$a'" -ErrorAction SilentlyContinue)) {
New-ADUser -Name $a -SamAccountName $a -Path "OU=Admins,$DomainDN" `
-AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
}
}
# Exakte DN der Builtin/Users-Gruppen verwenden (robust in allen Sprachen)
$dnDomainAdmins = "CN=Domain Admins,CN=Users,$DomainDN"
$dnServerOps = "CN=Server Operators,CN=Builtin,$DomainDN"
$dnAdminsBU = "CN=Administrators,CN=Builtin,$DomainDN"
Try { Add-ADGroupMember -Identity $dnDomainAdmins -Members "helpdesk1" } Catch {}
Try { Add-ADGroupMember -Identity $dnServerOps -Members "itadmin" } Catch {}
Try { Add-ADGroupMember -Identity $dnAdminsBU -Members "itadmin" } Catch {}
Write-Host "5) Service-Account + SPN ..." -ForegroundColor Cyan
if (-not (Get-ADUser -Filter "sAMAccountName -eq 'svc_web'" -ErrorAction SilentlyContinue)) {
New-ADUser -Name "svc_web" -SamAccountName "svc_web" -Path "OU=Service Accounts,$DomainDN" `
-AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
}
# <<< Falls dein Member-Server anders heißt, DIESEN Namen anpassen >>>
& setspn.exe -S HTTP/member.lab.int svc_web | Out-Null
Write-Host "6) Share-Gruppen befüllen ..." -ForegroundColor Cyan
Try { Add-ADGroupMember -Identity "Share-Readers" -Members "alice","charlie" } Catch {}
Try { Add-ADGroupMember -Identity "Share-Contributors" -Members "bob" } Catch {}
Write-Host "7) Kerberos-Audit-GPO erstellen + verlinken ..." -ForegroundColor Cyan
$gpoName = "LAB Kerberos Auditing"
$gpo = Get-GPO -Name $gpoName -ErrorAction SilentlyContinue
if (-not $gpo) { $gpo = New-GPO -Name $gpoName }
# Direkt auf die Domäne verlinken (erzwingen)
New-GPLink -Name $gpo.DisplayName -Target $DomainDN -Enforced Yes -LinkEnabled Yes | Out-Null
# Advanced Audit Policy (4768/4769/4624/4672)
# HKLM\Software\Policies\Microsoft\Windows\Audit (DWORD: 1=Success, 2=Failure, 3=Both)
$AuditKey = "HKLM\Software\Policies\Microsoft\Windows\Audit"
$policies = @(
@{Name="AuditKerberosAuthenticationService"; Value=3}, # 4768
@{Name="AuditKerberosServiceTicketOperations"; Value=3}, # 4769
@{Name="AuditLogon"; Value=1}, # 4624 (Success)
@{Name="AuditSpecialLogon"; Value=1} # 4672 (Success)
)
foreach ($p in $policies) {
Set-GPRegistryValue -Name $gpoName -Key $AuditKey -ValueName $p.Name -Type DWord -Value $p.Value
}
# Security-Log größer + überschreiben (Lab)
# HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security
$EventLogKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security"
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "MaxSize" -Type DWord -Value 131072 # 128 MB (KB)
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "Retention" -Type DWord -Value 0 # Overwrite as needed
Write-Host "8) GPUpdate auf dem DC ..." -ForegroundColor Cyan
gpupdate /force | Out-Null
Write-Host "`n✅ Fertig. OUs, User, Gruppen, SPN und Kerberos-Audit-GPO sind eingerichtet." -ForegroundColor Green
Write-Host " Auf Member/Client nach Domain-Join: gpupdate /force (oder 10–20 Min. warten)." -ForegroundColor Yellow