User anlegen dc

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen 
# ============================================
# AD-Lab Setup + Kerberos-Audit-GPO (Server 2022)
# Domäne: lab.int   Passwort: 123Start$
# ============================================

$ErrorActionPreference = 'Stop'
Import-Module ActiveDirectory
Import-Module GroupPolicy

# --- Basis ---
$Domain    = Get-ADDomain
$DomainDN  = $Domain.DistinguishedName
$Pwd       = ConvertTo-SecureString '123Start$' -AsPlainText -Force

Write-Host "1) OUs anlegen ..." -ForegroundColor Cyan
$ous = "Admins","Users","Servers","Workstations","Service Accounts"
foreach ($ou in $ous) {
  if (-not (Get-ADOrganizationalUnit -LDAPFilter "(ou=$ou)" -SearchBase $DomainDN -ErrorAction SilentlyContinue)) {
    New-ADOrganizationalUnit -Name $ou -Path $DomainDN -ProtectedFromAccidentalDeletion:$false | Out-Null
  }
}

Write-Host "2) Gruppen anlegen ..." -ForegroundColor Cyan
# Gruppen unter OU=Users (rein fürs Lab)
$groups = @(
  @{ Name="Share-Readers";      Scope="Global"; Path="OU=Users,$DomainDN" },
  @{ Name="Share-Contributors"; Scope="Global"; Path="OU=Users,$DomainDN" }
)
foreach ($g in $groups) {
  if (-not (Get-ADGroup -LDAPFilter "(cn=$($g.Name))" -SearchBase $DomainDN -ErrorAction SilentlyContinue)) {
    New-ADGroup -Name $g.Name -GroupScope $g.Scope -GroupCategory Security -Path $g.Path | Out-Null
  }
}

Write-Host "3) Standard-User (OU=Users) ..." -ForegroundColor Cyan
$users = @("alice","bob","charlie")
foreach ($u in $users) {
  if (-not (Get-ADUser -Filter "sAMAccountName -eq '$u'" -ErrorAction SilentlyContinue)) {
    New-ADUser -Name $u -SamAccountName $u -Path "OU=Users,$DomainDN" `
      -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
  }
}

Write-Host "4) Admin-User (OU=Admins) + Rechte ..." -ForegroundColor Cyan
$admins = @("helpdesk1","itadmin")
foreach ($a in $admins) {
  if (-not (Get-ADUser -Filter "sAMAccountName -eq '$a'" -ErrorAction SilentlyContinue)) {
    New-ADUser -Name $a -SamAccountName $a -Path "OU=Admins,$DomainDN" `
      -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
  }
}
# Exakte DN der Builtin/Users-Gruppen verwenden (robust in allen Sprachen)
$dnDomainAdmins = "CN=Domain Admins,CN=Users,$DomainDN"
$dnServerOps    = "CN=Server Operators,CN=Builtin,$DomainDN"
$dnAdminsBU     = "CN=Administrators,CN=Builtin,$DomainDN"
Try { Add-ADGroupMember -Identity $dnDomainAdmins -Members "helpdesk1" } Catch {}
Try { Add-ADGroupMember -Identity $dnServerOps    -Members "itadmin"   } Catch {}
Try { Add-ADGroupMember -Identity $dnAdminsBU     -Members "itadmin"   } Catch {}

Write-Host "5) Service-Account + SPN ..." -ForegroundColor Cyan
if (-not (Get-ADUser -Filter "sAMAccountName -eq 'svc_web'" -ErrorAction SilentlyContinue)) {
  New-ADUser -Name "svc_web" -SamAccountName "svc_web" -Path "OU=Service Accounts,$DomainDN" `
    -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
}
# <<< Falls dein Member-Server anders heißt, DIESEN Namen anpassen >>>
& setspn.exe -S HTTP/member.lab.int svc_web | Out-Null

Write-Host "6) Share-Gruppen befüllen ..." -ForegroundColor Cyan
Try { Add-ADGroupMember -Identity "Share-Readers"      -Members "alice","charlie" } Catch {}
Try { Add-ADGroupMember -Identity "Share-Contributors" -Members "bob"             } Catch {}

Write-Host "7) Kerberos-Audit-GPO erstellen + verlinken ..." -ForegroundColor Cyan
$gpoName = "LAB Kerberos Auditing"
$gpo = Get-GPO -Name $gpoName -ErrorAction SilentlyContinue
if (-not $gpo) { $gpo = New-GPO -Name $gpoName }

# Direkt auf die Domäne verlinken (erzwingen)
New-GPLink -Name $gpo.DisplayName -Target $DomainDN -Enforced Yes -LinkEnabled Yes | Out-Null

# Advanced Audit Policy (4768/4769/4624/4672)
# HKLM\Software\Policies\Microsoft\Windows\Audit  (DWORD: 1=Success, 2=Failure, 3=Both)
$AuditKey = "HKLM\Software\Policies\Microsoft\Windows\Audit"
$policies = @(
  @{Name="AuditKerberosAuthenticationService";   Value=3},  # 4768
  @{Name="AuditKerberosServiceTicketOperations"; Value=3},  # 4769
  @{Name="AuditLogon";                            Value=1},  # 4624 (Success)
  @{Name="AuditSpecialLogon";                     Value=1}   # 4672 (Success)
)
foreach ($p in $policies) {
  Set-GPRegistryValue -Name $gpoName -Key $AuditKey -ValueName $p.Name -Type DWord -Value $p.Value
}

# Security-Log größer + überschreiben (Lab)
# HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security
$EventLogKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security"
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "MaxSize"   -Type DWord -Value 131072   # 128 MB (KB)
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "Retention" -Type DWord -Value 0        # Overwrite as needed

Write-Host "8) GPUpdate auf dem DC ..." -ForegroundColor Cyan
gpupdate /force | Out-Null

Write-Host "`n✅ Fertig. OUs, User, Gruppen, SPN und Kerberos-Audit-GPO sind eingerichtet." -ForegroundColor Green
Write-Host "   Auf Member/Client nach Domain-Join: gpupdate /force (oder 10–20 Min. warten)." -ForegroundColor Yellow
Abgerufen von „http://wiki.ixheim.de/index.php?title=User_anlegen_dc&oldid=64252