User anlegen dc

Aus Xinux Wiki
Version vom 12. August 2025, 17:14 Uhr von Thomas.will (Diskussion | Beiträge)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen 
# ============================================
# AD-Lab Setup + Kerberos-Audit-GPO (Server 2022)
# Domain: lab.int   Passwort: 123Start$
# Idempotent: Ja
# ============================================

$ErrorActionPreference = 'Stop'
Import-Module ActiveDirectory
Import-Module GroupPolicy

# --- Basis ---
$Domain    = Get-ADDomain
$DomainDN  = $Domain.DistinguishedName
$Pwd       = ConvertTo-SecureString '123Start$' -AsPlainText -Force

Write-Host "1) OUs anlegen ..." -ForegroundColor Cyan
# WICHTIG: Keine OU=Users anlegen (CN=Users existiert standardmäßig)
$ous = "Admins","Servers","Workstations","Service Accounts","Lab Users"
foreach ($ou in $ous) {
  $exists = Get-ADObject -LDAPFilter "(name=$ou)" -SearchBase $DomainDN -ErrorAction SilentlyContinue
  if (-not $exists) {
    New-ADOrganizationalUnit -Name $ou -Path $DomainDN -ProtectedFromAccidentalDeletion:$false | Out-Null
  }
}

Write-Host "2) Gruppen anlegen ..." -ForegroundColor Cyan
$usersOuPath = "OU=Lab Users,$DomainDN"
$groups = @(
  @{ Name="Share-Readers";      Scope="Global"; Path=$usersOuPath },
  @{ Name="Share-Contributors"; Scope="Global"; Path=$usersOuPath }
)
foreach ($g in $groups) {
  $exists = Get-ADGroup -LDAPFilter "(cn=$($g.Name))" -SearchBase $g.Path -ErrorAction SilentlyContinue
  if (-not $exists) {
    New-ADGroup -Name $g.Name -GroupScope $g.Scope -GroupCategory Security -Path $g.Path | Out-Null
  }
}

Write-Host "3) Standard-User (OU=Lab Users) ..." -ForegroundColor Cyan
$users = @("alice","bob","charlie")
foreach ($u in $users) {
  $exists = Get-ADUser -Filter "sAMAccountName -eq '$u'" -ErrorAction SilentlyContinue
  if (-not $exists) {
    New-ADUser -Name $u -SamAccountName $u -Path $usersOuPath `
      -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
  }
}

Write-Host "4) Admin-User (OU=Admins) + Rechte ..." -ForegroundColor Cyan
$adminsOuPath = "OU=Admins,$DomainDN"
$admins = @("helpdesk1","itadmin")
foreach ($a in $admins) {
  $exists = Get-ADUser -Filter "sAMAccountName -eq '$a'" -ErrorAction SilentlyContinue
  if (-not $exists) {
    New-ADUser -Name $a -SamAccountName $a -Path $adminsOuPath `
      -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
  }
}
$dnDomainAdmins = "CN=Domain Admins,CN=Users,$DomainDN"
$dnServerOps    = "CN=Server Operators,CN=Builtin,$DomainDN"
$dnAdminsBU     = "CN=Administrators,CN=Builtin,$DomainDN"
Try { Add-ADGroupMember -Identity $dnDomainAdmins -Members "helpdesk1" } Catch {}
Try { Add-ADGroupMember -Identity $dnServerOps    -Members "itadmin"   } Catch {}
Try { Add-ADGroupMember -Identity $dnAdminsBU     -Members "itadmin"   } Catch {}

Write-Host "5) Service-Account + SPN ..." -ForegroundColor Cyan
$svc = Get-ADUser -Filter "sAMAccountName -eq 'svc_web'" -ErrorAction SilentlyContinue
if (-not $svc) {
  New-ADUser -Name "svc_web" -SamAccountName "svc_web" -Path "OU=Service Accounts,$DomainDN" `
    -AccountPassword $Pwd -Enabled $true -PasswordNeverExpires $true | Out-Null
}
# Hostname ggf. anpassen
$spn = "HTTP/member.lab.int"
# Duplikate tolerieren
& setspn.exe -S $spn svc_web 2>$null | Out-Null

Write-Host "6) Share-Gruppen befüllen ..." -ForegroundColor Cyan
foreach ($op in @(@{G="Share-Readers";M=@("alice","charlie")}, @{G="Share-Contributors";M=@("bob")})) {
  foreach ($m in $op.M) { Try { Add-ADGroupMember -Identity $op.G -Members $m } Catch {} }
}

Write-Host "7) Kerberos-Audit-GPO erstellen + verlinken ..." -ForegroundColor Cyan
$gpoName = "LAB Kerberos Auditing"
$gpo = Get-GPO -Name $gpoName -ErrorAction SilentlyContinue
if (-not $gpo) { $gpo = New-GPO -Name $gpoName }
# Link idempotent: zuerst prüfen
$existingLink = (Get-GPOReport -Guid $gpo.Id -ReportType Xml) -match [regex]::Escape($DomainDN)
if (-not $existingLink) {
  New-GPLink -Name $gpo.DisplayName -Target $DomainDN -Enforced Yes -LinkEnabled Yes | Out-Null
}

# Advanced Audit Policy
$AuditKey = "HKLM\Software\Policies\Microsoft\Windows\Audit"
$policies = @(
  @{Name="AuditKerberosAuthenticationService";   Value=3},
  @{Name="AuditKerberosServiceTicketOperations"; Value=3},
  @{Name="AuditLogon";                            Value=1},
  @{Name="AuditSpecialLogon";                     Value=1}
)
foreach ($p in $policies) {
  Set-GPRegistryValue -Name $gpoName -Key $AuditKey -ValueName $p.Name -Type DWord -Value $p.Value
}

# Eventlog: Security
$EventLogKey = "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security"
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "MaxSize"   -Type DWord -Value 131072
Set-GPRegistryValue -Name $gpoName -Key $EventLogKey -ValueName "Retention" -Type DWord -Value 0

Write-Host "8) GPUpdate auf dem DC ..." -ForegroundColor Cyan
gpupdate /force | Out-Null

Write-Host "`nFertig. OUs, User, Gruppen, SPN und Kerberos-Audit-GPO sind eingerichtet." -ForegroundColor Green
Write-Host "Auf Member/Client nach Domain-Join: gpupdate /force (oder 10-20 Min. warten)." -ForegroundColor Yellow
Abgerufen von „http://wiki.ixheim.de/index.php?title=User_anlegen_dc&oldid=64256