User anlegen dc: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
Zeile 2: Zeile 2:
 
# ============================================
 
# ============================================
 
# AD-Lab Setup + Kerberos-Audit-GPO (Server 2022)
 
# AD-Lab Setup + Kerberos-Audit-GPO (Server 2022)
# Domäne: lab.int  Passwort: 123Start$
+
# Domain: lab.int  Passwort: 123Start$
 +
# Idempotent: Ja
 
# ============================================
 
# ============================================
  
Zeile 15: Zeile 16:
  
 
Write-Host "1) OUs anlegen ..." -ForegroundColor Cyan
 
Write-Host "1) OUs anlegen ..." -ForegroundColor Cyan
$ous = "Admins","Users","Servers","Workstations","Service Accounts"
+
# WICHTIG: Keine OU=Users anlegen (CN=Users existiert standardmäßig)
 +
$ous = "Admins","Servers","Workstations","Service Accounts","Lab Users"
 
foreach ($ou in $ous) {
 
foreach ($ou in $ous) {
   if (-not (Get-ADOrganizationalUnit -LDAPFilter "(ou=$ou)" -SearchBase $DomainDN -ErrorAction SilentlyContinue)) {
+
   $exists = Get-ADObject -LDAPFilter "(name=$ou)" -SearchBase $DomainDN -ErrorAction SilentlyContinue
 +
  if (-not $exists) {
 
     New-ADOrganizationalUnit -Name $ou -Path $DomainDN -ProtectedFromAccidentalDeletion:$false | Out-Null
 
     New-ADOrganizationalUnit -Name $ou -Path $DomainDN -ProtectedFromAccidentalDeletion:$false | Out-Null
 
   }
 
   }
Zeile 23: Zeile 26:
  
 
Write-Host "2) Gruppen anlegen ..." -ForegroundColor Cyan
 
Write-Host "2) Gruppen anlegen ..." -ForegroundColor Cyan
# Gruppen unter OU=Users (rein fürs Lab)
+
$usersOuPath = "OU=Lab Users,$DomainDN"
 
$groups = @(
 
$groups = @(
   @{ Name="Share-Readers";      Scope="Global"; Path="OU=Users,$DomainDN" },
+
   @{ Name="Share-Readers";      Scope="Global"; Path=$usersOuPath },
   @{ Name="Share-Contributors"; Scope="Global"; Path="OU=Users,$DomainDN" }
+
   @{ Name="Share-Contributors"; Scope="Global"; Path=$usersOuPath }
 
)
 
)
 
foreach ($g in $groups) {
 
foreach ($g in $groups) {
   if (-not (Get-ADGroup -LDAPFilter "(cn=$($g.Name))" -SearchBase $DomainDN -ErrorAction SilentlyContinue)) {
+
   $exists = Get-ADGroup -LDAPFilter "(cn=$($g.Name))" -SearchBase $g.Path -ErrorAction SilentlyContinue
 +
  if (-not $exists) {
 
     New-ADGroup -Name $g.Name -GroupScope $g.Scope -GroupCategory Security -Path $g.Path | Out-Null
 
     New-ADGroup -Name $g.Name -GroupScope $g.Scope -GroupCategory Security -Path $g.Path | Out-Null
 
   }
 
   }
 
}
 
}
  
Write-Host "3) Standard-User (OU=Users) ..." -ForegroundColor Cyan
+
Write-Host "3) Standard-User (OU=Lab Users) ..." -ForegroundColor Cyan
 
$users = @("alice","bob","charlie")
 
$users = @("alice","bob","charlie")
 
foreach ($u in $users) {
 
foreach ($u in $users) {
   if (-not (Get-ADUser -Filter "sAMAccountName -eq '$u'" -ErrorAction SilentlyContinue)) {
+
   $exists = Get-ADUser -Filter "sAMAccountName -eq '$u'" -ErrorAction SilentlyContinue
     New-ADUser -Name $u -SamAccountName $u -Path "OU=Users,$DomainDN" `
+
  if (-not $exists) {
 +
     New-ADUser -Name $u -SamAccountName $u -Path $usersOuPath `
 
       -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
 
       -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
 
   }
 
   }
Zeile 44: Zeile 49:
  
 
Write-Host "4) Admin-User (OU=Admins) + Rechte ..." -ForegroundColor Cyan
 
Write-Host "4) Admin-User (OU=Admins) + Rechte ..." -ForegroundColor Cyan
 +
$adminsOuPath = "OU=Admins,$DomainDN"
 
$admins = @("helpdesk1","itadmin")
 
$admins = @("helpdesk1","itadmin")
 
foreach ($a in $admins) {
 
foreach ($a in $admins) {
   if (-not (Get-ADUser -Filter "sAMAccountName -eq '$a'" -ErrorAction SilentlyContinue)) {
+
   $exists = Get-ADUser -Filter "sAMAccountName -eq '$a'" -ErrorAction SilentlyContinue
     New-ADUser -Name $a -SamAccountName $a -Path "OU=Admins,$DomainDN" `
+
  if (-not $exists) {
 +
     New-ADUser -Name $a -SamAccountName $a -Path $adminsOuPath `
 
       -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
 
       -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
 
   }
 
   }
 
}
 
}
# Exakte DN der Builtin/Users-Gruppen verwenden (robust in allen Sprachen)
 
 
$dnDomainAdmins = "CN=Domain Admins,CN=Users,$DomainDN"
 
$dnDomainAdmins = "CN=Domain Admins,CN=Users,$DomainDN"
 
$dnServerOps    = "CN=Server Operators,CN=Builtin,$DomainDN"
 
$dnServerOps    = "CN=Server Operators,CN=Builtin,$DomainDN"
Zeile 60: Zeile 66:
  
 
Write-Host "5) Service-Account + SPN ..." -ForegroundColor Cyan
 
Write-Host "5) Service-Account + SPN ..." -ForegroundColor Cyan
if (-not (Get-ADUser -Filter "sAMAccountName -eq 'svc_web'" -ErrorAction SilentlyContinue)) {
+
$svc = Get-ADUser -Filter "sAMAccountName -eq 'svc_web'" -ErrorAction SilentlyContinue
 +
if (-not $svc) {
 
   New-ADUser -Name "svc_web" -SamAccountName "svc_web" -Path "OU=Service Accounts,$DomainDN" `
 
   New-ADUser -Name "svc_web" -SamAccountName "svc_web" -Path "OU=Service Accounts,$DomainDN" `
 
     -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
 
     -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
 
}
 
}
# <<< Falls dein Member-Server anders heißt, DIESEN Namen anpassen >>>
+
# Hostname ggf. anpassen
& setspn.exe -S HTTP/member.lab.int svc_web | Out-Null
+
$spn = "HTTP/member.lab.int"
 +
# Duplikate tolerieren
 +
& setspn.exe -S $spn svc_web 2>$null | Out-Null
  
 
Write-Host "6) Share-Gruppen befüllen ..." -ForegroundColor Cyan
 
Write-Host "6) Share-Gruppen befüllen ..." -ForegroundColor Cyan
Try { Add-ADGroupMember -Identity "Share-Readers"     -Members "alice","charlie" } Catch {}
+
foreach ($op in @(@{G="Share-Readers";M=@("alice","charlie")}, @{G="Share-Contributors";M=@("bob")})) {
Try { Add-ADGroupMember -Identity "Share-Contributors" -Members "bob"            } Catch {}
+
  foreach ($m in $op.M) { Try { Add-ADGroupMember -Identity $op.G -Members $m } Catch {} }
 +
}
  
 
Write-Host "7) Kerberos-Audit-GPO erstellen + verlinken ..." -ForegroundColor Cyan
 
Write-Host "7) Kerberos-Audit-GPO erstellen + verlinken ..." -ForegroundColor Cyan
Zeile 75: Zeile 85:
 
$gpo = Get-GPO -Name $gpoName -ErrorAction SilentlyContinue
 
$gpo = Get-GPO -Name $gpoName -ErrorAction SilentlyContinue
 
if (-not $gpo) { $gpo = New-GPO -Name $gpoName }
 
if (-not $gpo) { $gpo = New-GPO -Name $gpoName }
 +
# Link idempotent: zuerst prüfen
 +
$existingLink = (Get-GPOReport -Guid $gpo.Id -ReportType Xml) -match [regex]::Escape($DomainDN)
 +
if (-not $existingLink) {
 +
  New-GPLink -Name $gpo.DisplayName -Target $DomainDN -Enforced Yes -LinkEnabled Yes | Out-Null
 +
}
  
# Direkt auf die Domäne verlinken (erzwingen)
+
# Advanced Audit Policy
New-GPLink -Name $gpo.DisplayName -Target $DomainDN -Enforced Yes -LinkEnabled Yes | Out-Null
 
 
 
# Advanced Audit Policy (4768/4769/4624/4672)
 
# HKLM\Software\Policies\Microsoft\Windows\Audit  (DWORD: 1=Success, 2=Failure, 3=Both)
 
 
$AuditKey = "HKLM\Software\Policies\Microsoft\Windows\Audit"
 
$AuditKey = "HKLM\Software\Policies\Microsoft\Windows\Audit"
 
$policies = @(
 
$policies = @(
   @{Name="AuditKerberosAuthenticationService";  Value=3}, # 4768
+
   @{Name="AuditKerberosAuthenticationService";  Value=3},
   @{Name="AuditKerberosServiceTicketOperations"; Value=3}, # 4769
+
   @{Name="AuditKerberosServiceTicketOperations"; Value=3},
   @{Name="AuditLogon";                            Value=1}, # 4624 (Success)
+
   @{Name="AuditLogon";                            Value=1},
   @{Name="AuditSpecialLogon";                    Value=1}   # 4672 (Success)
+
   @{Name="AuditSpecialLogon";                    Value=1}
 
)
 
)
 
foreach ($p in $policies) {
 
foreach ($p in $policies) {
Zeile 92: Zeile 103:
 
}
 
}
  
# Security-Log größer + überschreiben (Lab)
+
# Eventlog: Security
# HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security
 
 
$EventLogKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security"
 
$EventLogKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security"
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "MaxSize"  -Type DWord -Value 131072   # 128 MB (KB)
+
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "MaxSize"  -Type DWord -Value 131072
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "Retention" -Type DWord -Value 0       # Overwrite as needed
+
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "Retention" -Type DWord -Value 0
  
 
Write-Host "8) GPUpdate auf dem DC ..." -ForegroundColor Cyan
 
Write-Host "8) GPUpdate auf dem DC ..." -ForegroundColor Cyan
 
gpupdate /force | Out-Null
 
gpupdate /force | Out-Null
  
Write-Host "`n✅ Fertig. OUs, User, Gruppen, SPN und Kerberos-Audit-GPO sind eingerichtet." -ForegroundColor Green
+
Write-Host "`nFertig. OUs, User, Gruppen, SPN und Kerberos-Audit-GPO sind eingerichtet." -ForegroundColor Green
Write-Host "   Auf Member/Client nach Domain-Join: gpupdate /force (oder 10-20 Min. warten)." -ForegroundColor Yellow
+
Write-Host "Auf Member/Client nach Domain-Join: gpupdate /force (oder 10-20 Min. warten)." -ForegroundColor Yellow
  
  
 
</pre>
 
</pre>

Aktuelle Version vom 12. August 2025, 17:14 Uhr

# ============================================
# AD-Lab Setup + Kerberos-Audit-GPO (Server 2022)
# Domain: lab.int   Passwort: 123Start$
# Idempotent: Ja
# ============================================

$ErrorActionPreference = 'Stop'
Import-Module ActiveDirectory
Import-Module GroupPolicy

# --- Basis ---
$Domain    = Get-ADDomain
$DomainDN  = $Domain.DistinguishedName
$Pwd       = ConvertTo-SecureString '123Start$' -AsPlainText -Force

Write-Host "1) OUs anlegen ..." -ForegroundColor Cyan
# WICHTIG: Keine OU=Users anlegen (CN=Users existiert standardmäßig)
$ous = "Admins","Servers","Workstations","Service Accounts","Lab Users"
foreach ($ou in $ous) {
  $exists = Get-ADObject -LDAPFilter "(name=$ou)" -SearchBase $DomainDN -ErrorAction SilentlyContinue
  if (-not $exists) {
    New-ADOrganizationalUnit -Name $ou -Path $DomainDN -ProtectedFromAccidentalDeletion:$false | Out-Null
  }
}

Write-Host "2) Gruppen anlegen ..." -ForegroundColor Cyan
$usersOuPath = "OU=Lab Users,$DomainDN"
$groups = @(
  @{ Name="Share-Readers";      Scope="Global"; Path=$usersOuPath },
  @{ Name="Share-Contributors"; Scope="Global"; Path=$usersOuPath }
)
foreach ($g in $groups) {
  $exists = Get-ADGroup -LDAPFilter "(cn=$($g.Name))" -SearchBase $g.Path -ErrorAction SilentlyContinue
  if (-not $exists) {
    New-ADGroup -Name $g.Name -GroupScope $g.Scope -GroupCategory Security -Path $g.Path | Out-Null
  }
}

Write-Host "3) Standard-User (OU=Lab Users) ..." -ForegroundColor Cyan
$users = @("alice","bob","charlie")
foreach ($u in $users) {
  $exists = Get-ADUser -Filter "sAMAccountName -eq '$u'" -ErrorAction SilentlyContinue
  if (-not $exists) {
    New-ADUser -Name $u -SamAccountName $u -Path $usersOuPath `
      -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
  }
}

Write-Host "4) Admin-User (OU=Admins) + Rechte ..." -ForegroundColor Cyan
$adminsOuPath = "OU=Admins,$DomainDN"
$admins = @("helpdesk1","itadmin")
foreach ($a in $admins) {
  $exists = Get-ADUser -Filter "sAMAccountName -eq '$a'" -ErrorAction SilentlyContinue
  if (-not $exists) {
    New-ADUser -Name $a -SamAccountName $a -Path $adminsOuPath `
      -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
  }
}
$dnDomainAdmins = "CN=Domain Admins,CN=Users,$DomainDN"
$dnServerOps    = "CN=Server Operators,CN=Builtin,$DomainDN"
$dnAdminsBU     = "CN=Administrators,CN=Builtin,$DomainDN"
Try { Add-ADGroupMember -Identity $dnDomainAdmins -Members "helpdesk1" } Catch {}
Try { Add-ADGroupMember -Identity $dnServerOps    -Members "itadmin"   } Catch {}
Try { Add-ADGroupMember -Identity $dnAdminsBU     -Members "itadmin"   } Catch {}

Write-Host "5) Service-Account + SPN ..." -ForegroundColor Cyan
$svc = Get-ADUser -Filter "sAMAccountName -eq 'svc_web'" -ErrorAction SilentlyContinue
if (-not $svc) {
  New-ADUser -Name "svc_web" -SamAccountName "svc_web" -Path "OU=Service Accounts,$DomainDN" `
    -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
}
# Hostname ggf. anpassen
$spn = "HTTP/member.lab.int"
# Duplikate tolerieren
& setspn.exe -S $spn svc_web 2>$null | Out-Null

Write-Host "6) Share-Gruppen befüllen ..." -ForegroundColor Cyan
foreach ($op in @(@{G="Share-Readers";M=@("alice","charlie")}, @{G="Share-Contributors";M=@("bob")})) {
  foreach ($m in $op.M) { Try { Add-ADGroupMember -Identity $op.G -Members $m } Catch {} }
}

Write-Host "7) Kerberos-Audit-GPO erstellen + verlinken ..." -ForegroundColor Cyan
$gpoName = "LAB Kerberos Auditing"
$gpo = Get-GPO -Name $gpoName -ErrorAction SilentlyContinue
if (-not $gpo) { $gpo = New-GPO -Name $gpoName }
# Link idempotent: zuerst prüfen
$existingLink = (Get-GPOReport -Guid $gpo.Id -ReportType Xml) -match [regex]::Escape($DomainDN)
if (-not $existingLink) {
  New-GPLink -Name $gpo.DisplayName -Target $DomainDN -Enforced Yes -LinkEnabled Yes | Out-Null
}

# Advanced Audit Policy
$AuditKey = "HKLM\Software\Policies\Microsoft\Windows\Audit"
$policies = @(
  @{Name="AuditKerberosAuthenticationService";   Value=3},
  @{Name="AuditKerberosServiceTicketOperations"; Value=3},
  @{Name="AuditLogon";                            Value=1},
  @{Name="AuditSpecialLogon";                     Value=1}
)
foreach ($p in $policies) {
  Set-GPRegistryValue -Name $gpoName -Key $AuditKey -ValueName $p.Name -Type DWord -Value $p.Value
}

# Eventlog: Security
$EventLogKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security"
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "MaxSize"   -Type DWord -Value 131072
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "Retention" -Type DWord -Value 0

Write-Host "8) GPUpdate auf dem DC ..." -ForegroundColor Cyan
gpupdate /force | Out-Null

Write-Host "`nFertig. OUs, User, Gruppen, SPN und Kerberos-Audit-GPO sind eingerichtet." -ForegroundColor Green
Write-Host "Auf Member/Client nach Domain-Join: gpupdate /force (oder 10-20 Min. warten)." -ForegroundColor Yellow
Abgerufen von „http://wiki.ixheim.de/index.php?title=User_anlegen_dc&oldid=64256