blackicedbear/bytetrail
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
blackicedbear
2026-05-25 14:43:12 +02:00
commit aa9bd91583
4 changed files with 775 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitattributes
+1
View File
@@ -0,0 +1 @@
*.mp4 filter=lfs diff=lfs merge=lfs -text
Configure-ByteTrail-FileServer.ps1
+374
View File
@@ -0,0 +1,374 @@
# ============================================================
# ByteTrail GmbH GPO, File Server & DFS Namespace Setup Script
# Domäne: bytetrail.local
# Ausführen auf: Domain Controller / Fileserver als Domain Admin
# ============================================================
Import-Module GroupPolicy -ErrorAction Stop
#region KONFIGURATION
$Domain = "bytetrail.local"
$DomainDN = "DC=bytetrail,DC=local"
$NetBIOSDom = "BYTETRAIL"
$MailDomain = "bytetrail.at"
$FreigabePfad = "D:\Freigabe"
$DfsRootPfad = "D:\DfsRoot" # NEU für Variante 1: Separater, leerer Pfad für den DFS-Root
#endregion
Write-Host "`n=== ByteTrail GPO, Fileserver & DFS Setup gestartet ===" -ForegroundColor Cyan
# Dynamische Namensauflösung via SID
try {
Import-Module ActiveDirectory -ErrorAction Stop
$DomainSID = (Get-ADDomain).DomainSID.Value
$DomainAdminsSID = "$DomainSID-512"
$DomainUsersSID = "$DomainSID-513"
$DomainAdminsName = (Get-ADGroup -Identity $DomainAdminsSID).Name
$DomainUsersName = (Get-ADGroup -Identity $DomainUsersSID).Name
}
catch {
Write-Host " [!] Fehler beim Auflösen der Standardgruppen: $($_.Exception.Message)" -ForegroundColor Red
return
}
# ============================================================
# TEIL 1: GRUPPENRICHTLINIEN (GPOs) SKELETT
# ============================================================
Write-Host "`n[1/4] Konfiguriere Gruppenrichtlinien (GPOs)..." -ForegroundColor Yellow
$GpoSecurityName = "ByteTrail_Base_Security"
$GpoDrivesName = "ByteTrail_Mapped_Drives"
# 1.1 Basis-Sicherheit (Domänenweit)
if (!(Get-GPO -Name $GpoSecurityName -ErrorAction SilentlyContinue)) {
try {
$gpoSec = New-GPO -Name $GpoSecurityName -Comment "Basis-Sicherheitsrichtlinien (Bildschirmsperre etc.)"
New-GPLink -Name $GpoSecurityName -Target $DomainDN -LinkEnabled Yes | Out-Null
Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveActive" -Type String -Value "1" | Out-Null
Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaverIsSecure" -Type String -Value "1" | Out-Null
Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveTimeOut" -Type String -Value "900" | Out-Null
Write-Host " [+] GPO '$GpoSecurityName' erstellt, konfiguriert und mit Domäne verknüpft." -ForegroundColor Green
} catch {
Write-Host " [!] Fehler bei GPO '$GpoSecurityName': $($_.Exception.Message)" -ForegroundColor Red
}
} else {
Write-Host " [~] GPO '$GpoSecurityName' existiert bereits." -ForegroundColor Gray
}
# 1.2 Netzlaufwerke GPO-Hülle
if (!(Get-GPO -Name $GpoDrivesName -ErrorAction SilentlyContinue)) {
try {
New-GPO -Name $GpoDrivesName -Comment "Automatische Netzlaufwerk-Zuweisungen fuer Fachabteilungen" | Out-Null
New-GPLink -Name $GpoDrivesName -Target "OU=Geschaeftsfuehrung,$DomainDN" -LinkEnabled Yes | Out-Null
New-GPLink -Name $GpoDrivesName -Target "OU=Sales,$DomainDN" -LinkEnabled Yes | Out-Null
New-GPLink -Name $GpoDrivesName -Target "OU=Marketing,$DomainDN" -LinkEnabled Yes | Out-Null
New-GPLink -Name $GpoDrivesName -Target "OU=Service,$DomainDN" -LinkEnabled Yes | Out-Null
Write-Host " [+] GPO '$GpoDrivesName' erstellt und mit OUs verknüpft." -ForegroundColor Green
} catch {
Write-Host " [!] Fehler bei GPO '$GpoDrivesName': $($_.Exception.Message)" -ForegroundColor Red
}
} else {
Write-Host " [~] GPO '$GpoDrivesName' existiert bereits." -ForegroundColor Gray
}
# ============================================================
# TEIL 2: FILESERVER ORDNER & BERECHTIGUNGEN (NTFS)
# ============================================================
Write-Host "`n[2/4] Konfiguriere Ordnerstruktur & NTFS-Berechtigungen auf $FreigabePfad..." -ForegroundColor Yellow
# Haupt-Datenverzeichnis
if (!(Test-Path $FreigabePfad)) { New-Item -Path $FreigabePfad -ItemType Directory -Force | Out-Null }
try {
Get-SmbShare -Name "Freigabe" -ErrorAction Stop | Out-Null
Write-Host " [~] SMB-Freigabe 'Freigabe' existiert bereits." -ForegroundColor Gray
} catch {
New-SmbShare -Name "Freigabe" -Path $FreigabePfad -FullAccess "$NetBIOSDom\$DomainAdminsName" -ChangeAccess "$NetBIOSDom\$DomainUsersName" | Out-Null
Write-Host " [+] SMB-Freigabe 'Freigabe' erstellt." -ForegroundColor Green
}
# NEU für Variante 1: Separates Verzeichnis für den DFS-Root (Muss physisch komplett leer bleiben!)
if (!(Test-Path $DfsRootPfad)) { New-Item -Path $DfsRootPfad -ItemType Directory -Force | Out-Null }
try {
Get-SmbShare -Name "DfsRoot$" -ErrorAction Stop | Out-Null
Write-Host " [~] SMB-Freigabe 'DfsRoot$' existiert bereits." -ForegroundColor Gray
} catch {
# Versteckte Freigabe für das DFS-Root-Skelett
New-SmbShare -Name "DfsRoot$" -Path $DfsRootPfad -FullAccess "$NetBIOSDom\$DomainAdminsName" -ReadAccess "$NetBIOSDom\$DomainUsersName" | Out-Null
Write-Host " [+] SMB-Freigabe 'DfsRoot$' für DFS erstellt." -ForegroundColor Green
}
$AclBase = Get-Acl $FreigabePfad
$AclBase.SetAccessRuleProtection($true, $true)
Set-Acl -Path $FreigabePfad -AclObject $AclBase
$Folders = @(
@{ Name = "Geschaeftsfuehrung"; Group = "GRP-GF-VOLLZUGRIFF" }
@{ Name = "Sales"; Group = "GRP-SALES-FILES" }
@{ Name = "Marketing"; Group = "GRP-MKT-FILES" }
@{ Name = "Service"; Group = "GRP-SVC-FILES" }
)
$RightsModify = [System.Security.AccessControl.FileSystemRights]::Modify
$RightsRead = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute
$RightsFull = [System.Security.AccessControl.FileSystemRights]::FullControl
$Inheritance = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$Propagation = [System.Security.AccessControl.PropagationFlags]::None
$Allow = [System.Security.AccessControl.AccessControlType]::Allow
$RuleAdmin = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetBIOSDom\GRP-ADMINS", $RightsFull, $Inheritance, $Propagation, $Allow)
$RuleSystem = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM", $RightsFull, $Inheritance, $Propagation, $Allow) # Wichtig für Backup/Windows-Dienste
$RuleGFRead = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetBIOSDom\GRP-GF-VOLLZUGRIFF", $RightsRead, $Inheritance, $Propagation, $Allow)
foreach ($Folder in $Folders) {
$FolderPath = "$FreigabePfad\$($Folder.Name)"
if (!(Test-Path $FolderPath)) { New-Item -Path $FolderPath -ItemType Directory -Force | Out-Null }
$Acl = Get-Acl -Path $FolderPath
$Acl.SetAccessRuleProtection($true, $false)
$Acl.AddAccessRule($RuleAdmin)
$Acl.AddAccessRule($RuleSystem)
$RuleDept = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetBIOSDom\$($Folder.Group)", $RightsModify, $Inheritance, $Propagation, $Allow)
$Acl.AddAccessRule($RuleDept)
if ($Folder.Name -ne "Geschaeftsfuehrung") {
$Acl.AddAccessRule($RuleGFRead)
}
Set-Acl -Path $FolderPath -AclObject $Acl
Write-Host " [+] Rechte für Ordner '$($Folder.Name)' erfolgreich gesetzt." -ForegroundColor Green
}
$AustauschPath = "$FreigabePfad\Austausch"
if (!(Test-Path $AustauschPath)) { New-Item -Path $AustauschPath -ItemType Directory -Force | Out-Null }
$AclAustausch = Get-Acl -Path $AustauschPath
$AclAustausch.SetAccessRuleProtection($true, $false)
$RuleAll = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetBIOSDom\$DomainUsersName", $RightsModify, $Inheritance, $Propagation, $Allow)
$AclAustausch.AddAccessRule($RuleAll)
$AclAustausch.AddAccessRule($RuleAdmin)
$AclAustausch.AddAccessRule($RuleSystem)
Set-Acl -Path $AustauschPath -AclObject $AclAustausch
Write-Host " [+] Rechte für Ordner 'Austausch' erfolgreich gesetzt." -ForegroundColor Green
# ============================================================
# TEIL 3: DFS-NAMESPACES (Kollisionsfrei nach Variante 1)
# ============================================================
Write-Host "`n[3/4] Konfiguriere DFS-Namespace..." -ForegroundColor Yellow
if (!(Get-WindowsFeature -Name FS-DFS-Namespace).Installed) {
Write-Host " [..] Installiere DFS-Namespace Server-Rolle..." -ForegroundColor Gray
Install-WindowsFeature FS-DFS-Namespace -IncludeManagementTools | Out-Null
}
Import-Module DFSN
$NamespaceRoot = "\\$Domain\Daten"
$LocalServerFQDN = "$env:COMPUTERNAME.$Domain"
# DFS-Root erstellen (Verweist nun exklusiv auf die leere Freigabe)
try {
Get-DfsnRoot -Path $NamespaceRoot -ErrorAction Stop | Out-Null
Write-Host " [~] DFS-Root '$NamespaceRoot' existiert bereits." -ForegroundColor Gray
} catch {
New-DfsnRoot -Path $NamespaceRoot -Type DomainV2 -TargetPath "\\$LocalServerFQDN\DfsRoot$" -ErrorAction Stop | Out-Null
Write-Host " [+] DFS-Root '$NamespaceRoot' erfolgreich erstellt." -ForegroundColor Green
}
# DFS-Ordner (Links) im leeren Namespace-Verzeichnis einrichten
foreach ($Folder in $Folders) {
$DfsFolderPath = "$NamespaceRoot\$($Folder.Name)"
try {
Get-DfsnFolder -Path $DfsFolderPath -ErrorAction Stop | Out-Null
} catch {
New-DfsnFolder -Path $DfsFolderPath -TargetPath "\\$LocalServerFQDN\Freigabe\$($Folder.Name)" -ErrorAction Stop | Out-Null
Write-Host " [+] DFS Link erstellt: $($Folder.Name) -> $NamespaceRoot\$($Folder.Name)" -ForegroundColor Green
}
}
# DFS Link für den öffentlichen Austausch-Ordner
$DfsAustauschPath = "$NamespaceRoot\Austausch"
try { Get-DfsnFolder -Path $DfsAustauschPath -ErrorAction Stop | Out-Null } catch {
New-DfsnFolder -Path $DfsAustauschPath -TargetPath "\\$LocalServerFQDN\Freigabe\Austausch" -ErrorAction Stop | Out-Null
Write-Host " [+] DFS Link erstellt: Austausch -> $DfsAustauschPath" -ForegroundColor Green
}
# ============================================================
# TEIL 4: GPP DRIVE MAPS (EMPFOHLENE VARIANTE)
# ============================================================
Write-Host "`n[4/4] Konfiguriere GPP Drive Maps..." -ForegroundColor Yellow
$Gpo = Get-GPO -Name $GpoDrivesName
$GpoGuid = $Gpo.Id.Guid
# SYSVOL Pfade
$GpoRoot = "\\$Domain\SYSVOL\$Domain\Policies\{$GpoGuid}"
$PreferencesPath = "$GpoRoot\User\Preferences"
$DriveMapPath = "$PreferencesPath\Drives"
# Ordner erzeugen
New-Item -Path $DriveMapPath -ItemType Directory -Force | Out-Null
# ============================================================
# DRIVE MAP XML
# ============================================================
$XmlContent = @"
<?xml version="1.0" encoding="utf-8"?>
<Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}">
<!-- Geschäftsführung -->
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="G:" status="G">
<Properties action="U"
thisDrive="SHOW"
allDrives="NOCHANGE"
userName=""
path="\\$Domain\Daten\Geschaeftsfuehrung"
label="Geschaeftsfuehrung"
persistent="1"
useLetter="1"
letter="G" />
<Filters>
<FilterGroup bool="AND"
not="0"
name="$NetBIOSDom\GRP-GF-VOLLZUGRIFF"
sid=""
userContext="1"
primaryGroup="0"
localGroup="0" />
</Filters>
</Drive>
<!-- Sales -->
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="S:" status="S">
<Properties action="U"
thisDrive="SHOW"
allDrives="NOCHANGE"
userName=""
path="\\$Domain\Daten\Sales"
label="Sales"
persistent="1"
useLetter="1"
letter="S" />
<Filters>
<FilterGroup bool="AND"
not="0"
name="$NetBIOSDom\GRP-SALES-FILES"
sid=""
userContext="1"
primaryGroup="0"
localGroup="0" />
</Filters>
</Drive>
<!-- Marketing -->
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="M:" status="M">
<Properties action="U"
thisDrive="SHOW"
allDrives="NOCHANGE"
userName=""
path="\\$Domain\Daten\Marketing"
label="Marketing"
persistent="1"
useLetter="1"
letter="M" />
<Filters>
<FilterGroup bool="AND"
not="0"
name="$NetBIOSDom\GRP-MKT-FILES"
sid=""
userContext="1"
primaryGroup="0"
localGroup="0" />
</Filters>
</Drive>
<!-- Service -->
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="T:" status="T">
<Properties action="U"
thisDrive="SHOW"
allDrives="NOCHANGE"
userName=""
path="\\$Domain\Daten\Service"
label="Service"
persistent="1"
useLetter="1"
letter="T" />
<Filters>
<FilterGroup bool="AND"
not="0"
name="$NetBIOSDom\GRP-SVC-FILES"
sid=""
userContext="1"
primaryGroup="0"
localGroup="0" />
</Filters>
</Drive>
<!-- Austausch -->
<Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="X:" status="X">
<Properties action="U"
thisDrive="SHOW"
allDrives="NOCHANGE"
userName=""
path="\\$Domain\Daten\Austausch"
label="Austausch"
persistent="1"
useLetter="1"
letter="X" />
</Drive>
</Drives>
"@
# XML speichern
$XmlContent | Out-File "$DriveMapPath\Drives.xml" -Encoding UTF8 -Force
# ============================================================
# GPT.INI Version erhöhen
# ============================================================
$GptIni = "$GpoRoot\GPT.INI"
if (Test-Path $GptIni) {
$Content = Get-Content $GptIni
$VersionLine = $Content | Where-Object { $_ -match "^Version=" }
if ($VersionLine) {
$CurrentVersion = [int]($VersionLine -replace "Version=", "")
$NewVersion = $CurrentVersion + 1
$Content = $Content -replace "Version=$CurrentVersion", "Version=$NewVersion"
$Content | Set-Content $GptIni -Encoding ASCII
}
}
# ============================================================
# Netzwerk-Wartezeit aktivieren
# ============================================================
Set-GPRegistryValue `
-Name $GpoSecurityName `
-Key "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" `
-ValueName "SyncForegroundPolicy" `
-Type DWord `
-Value 1 | Out-Null
Write-Host " [+] GPP Drive Maps erfolgreich konfiguriert." -ForegroundColor Green
Write-Host "`n=== Setup erfolgreich abgeschlossen ===" -ForegroundColor Cyan
Deploy-ByteTrail-AD-Environment.ps1
+397
View File
@@ -0,0 +1,397 @@
# ============================================================
# ByteTrail GmbH Active Directory & GPO Setup Script
# Domäne: bytetrail.local
# Erstellt: Team 3 VZ | FH Burgenland | SS 2026
# Ausführen auf: SRV-DC01 als Domain Admin
# ============================================================
Import-Module GroupPolicy -ErrorAction Stop
#region KONFIGURATION
$Domain = "bytetrail.local"
$DomainDN = "DC=bytetrail,DC=local"
$NetBIOSDom = "BYTETRAIL" # NetBIOS Name für Rechtevergabe/Fileserver
$MailDomain = "bytetrail.at"
$DefaultPW = ConvertTo-SecureString "ByteTrail2026!" -AsPlainText -Force
#endregion
Write-Host "`n=== ByteTrail AD & GPO Setup gestartet ===" -ForegroundColor Cyan
# ============================================================
# DIAGNOSE - Pruefen ob AD bereit ist
# ============================================================
Write-Host "`n[0/5] AD-Diagnose..." -ForegroundColor Yellow
# ADWS-Dienst pruefen
$adws = Get-Service ADWS -ErrorAction SilentlyContinue
if ($adws) {
if ($adws.Status -ne 'Running') {
Write-Host " [!] ADWS-Dienst ist NICHT gestartet (Status: $($adws.Status)). Starte..." -ForegroundColor Red
try { Start-Service ADWS -ErrorAction Stop; Start-Sleep -Seconds 5 }
catch { Write-Host " [!] ADWS konnte nicht gestartet werden: $_" -ForegroundColor Red; exit 1 }
}
Write-Host " [OK] ADWS-Dienst laeuft" -ForegroundColor Green
} else {
Write-Host " [!] ADWS-Dienst nicht gefunden - ist AD DS installiert?" -ForegroundColor Red
exit 1
}
# AD erreichbar?
try {
$ADDomain = Get-ADDomain -ErrorAction Stop
Write-Host " [OK] AD-Domaene: $($ADDomain.DNSRoot)" -ForegroundColor Green
Write-Host " [OK] Naming Context: $($ADDomain.DistinguishedName)" -ForegroundColor Green
Write-Host " [OK] PDC Emulator: $($ADDomain.PDCEmulator)" -ForegroundColor Green
Write-Host " [OK] Infrastruktur Master: $($ADDomain.InfrastructureMaster)" -ForegroundColor Green
# RODC-Check
$dc = Get-ADDomainController -ErrorAction Stop
if ($dc.IsReadOnly) {
Write-Host " [!] ACHTUNG: Dieser DC ist ein READ-ONLY DC (RODC) - Schreiboperationen werden fehlschlagen!" -ForegroundColor Red
exit 1
}
Write-Host " [OK] DC: $($dc.HostName) (Beschreibbar)" -ForegroundColor Green
} catch {
Write-Host " [!] AD nicht erreichbar: $($_.Exception.Message)" -ForegroundColor Red
Write-Host " [!] InnerException: $($_.Exception.InnerException)" -ForegroundColor Red
Write-Host "`nMoegliche Loesungen:" -ForegroundColor Yellow
Write-Host " 1. Server neustarten (nach DC-Promotion noetig)" -ForegroundColor Yellow
Write-Host " 2. Restart-Service ADWS" -ForegroundColor Yellow
Write-Host " 3. dcdiag /v ausfuehren fuer Details" -ForegroundColor Yellow
exit 1
}
# Quick-Write-Test: Versuche ein Dummy-Objekt zu erstellen und loeschen
Write-Host " [..] Schreibtest..." -ForegroundColor Gray
try {
$testOUName = "_ByteTrailSetupTest"
$testOU = "OU=$testOUName,$DomainDN"
# Falls vom letzten Lauf noch vorhanden, erst loeschen
try {
Set-ADOrganizationalUnit -Identity $testOU -ProtectedFromAccidentalDeletion $false -ErrorAction Stop
Remove-ADOrganizationalUnit -Identity $testOU -Confirm:$false -Recursive -ErrorAction Stop
} catch { }
New-ADOrganizationalUnit -Name $testOUName -Path $DomainDN -ErrorAction Stop
Set-ADOrganizationalUnit -Identity $testOU -ProtectedFromAccidentalDeletion $false -ErrorAction Stop
Remove-ADOrganizationalUnit -Identity $testOU -Confirm:$false -Recursive -ErrorAction Stop
Write-Host " [OK] Schreibzugriff funktioniert" -ForegroundColor Green
} catch {
Write-Host " [!] SCHREIBTEST FEHLGESCHLAGEN!" -ForegroundColor Red
Write-Host " [!] Fehler: $($_.Exception.Message)" -ForegroundColor Red
if ($_.Exception.InnerException) {
Write-Host " [!] Detail: $($_.Exception.InnerException.Message)" -ForegroundColor Red
}
Write-Host "`nMoegliche Ursachen:" -ForegroundColor Yellow
Write-Host " 1. Server wurde nach DC-Promotion noch nicht neugestartet" -ForegroundColor Yellow
Write-Host " 2. AD DS Datenbank nicht bereit - 'Restart-Service NTDS' oder Server neustarten" -ForegroundColor Yellow
Write-Host " 3. Dieses Konto hat keine Schreibrechte (als Domain Admin ausfuehren)" -ForegroundColor Yellow
Write-Host " 4. dcdiag /v ausfuehren fuer Details" -ForegroundColor Yellow
$antwort = Read-Host "`nTrotzdem fortfahren? (j/n)"
if ($antwort -ne 'j') { exit 1 }
}
Write-Host ""
# ============================================================
# 1. OU-STRUKTUR
# ============================================================
Write-Host "[1/5] Erstelle OU-Struktur..." -ForegroundColor Yellow
$OUs = @(
"OU=Geschaeftsfuehrung,$DomainDN",
"OU=Sales,$DomainDN",
"OU=Marketing,$DomainDN",
"OU=Service,$DomainDN",
"OU=Server,$DomainDN",
"OU=Gruppen,$DomainDN"
)
$OUCreated = 0; $OUExists = 0; $OUError = 0
foreach ($OU in $OUs) {
$OUName = ($OU -split ",")[0] -replace "OU=", ""
try {
Get-ADOrganizationalUnit -Identity $OU -ErrorAction Stop | Out-Null
Write-Host " [~] OU existiert bereits: $OUName" -ForegroundColor Gray
$OUExists++
} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
try {
New-ADOrganizationalUnit -Name $OUName -Path $DomainDN -ProtectedFromAccidentalDeletion $true -ErrorAction Stop
Write-Host " [+] OU erstellt: $OUName" -ForegroundColor Green
$OUCreated++
} catch {
Write-Host " [!] FEHLER OU '$OUName': $($_.Exception.Message)" -ForegroundColor Red
$OUError++
}
} catch {
try {
New-ADOrganizationalUnit -Name $OUName -Path $DomainDN -ProtectedFromAccidentalDeletion $true -ErrorAction Stop
Write-Host " [+] OU erstellt: $OUName" -ForegroundColor Green
$OUCreated++
} catch {
if ($_.Exception.Message -like "*already exists*" -or $_.Exception.Message -like "*existiert bereits*") {
Write-Host " [~] OU existiert bereits: $OUName" -ForegroundColor Gray
$OUExists++
} else {
Write-Host " [!] FEHLER OU '$OUName': $($_.Exception.Message)" -ForegroundColor Red
$OUError++
}
}
}
}
# ============================================================
# 2. AD-GRUPPEN
# ============================================================
Write-Host "`n[2/5] Erstelle AD-Gruppen..." -ForegroundColor Yellow
$Groups = @(
@{ Name = 'GRP-GF-VOLLZUGRIFF'; Description = 'Geschaeftsfuehrung - Vollzugriff' }
@{ Name = 'GRP-GF-VPN'; Description = 'Geschaeftsfuehrung - VPN-Zugang' }
@{ Name = 'GRP-GF-ERP'; Description = 'Geschaeftsfuehrung - ERP-Zugriff' }
@{ Name = 'GRP-SALES-ERP'; Description = 'Sales - ERP-Zugriff' }
@{ Name = 'GRP-SALES-VPN'; Description = 'Sales - VPN-Zugang' }
@{ Name = 'GRP-SALES-FILES'; Description = 'Sales - Dateifreigabe' }
@{ Name = 'GRP-MKT-FILES'; Description = 'Marketing - Dateifreigabe' }
@{ Name = 'GRP-SVC-FILES'; Description = 'Service/Technik - Dateifreigabe' }
@{ Name = 'GRP-SVC-ERP'; Description = 'Service/Technik - ERP-Zugriff (tlw.)' }
@{ Name = 'GRP-ALL-EMAIL'; Description = 'Alle Mitarbeiter - E-Mail' }
@{ Name = 'GRP-ADMINS'; Description = 'IT-Administratoren' }
)
$GrpCreated = 0; $GrpExists = 0; $GrpError = 0
foreach ($Group in $Groups) {
try {
Get-ADGroup -Identity $Group.Name -ErrorAction Stop | Out-Null
Write-Host " [~] Gruppe existiert bereits: $($Group.Name)" -ForegroundColor Gray
$GrpExists++
} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
try {
New-ADGroup `
-Name $Group.Name `
-SamAccountName $Group.Name `
-GroupScope Global `
-GroupCategory Security `
-Description $Group.Description `
-Path "OU=Gruppen,$DomainDN" `
-ErrorAction Stop
Write-Host " [+] Gruppe erstellt: $($Group.Name)" -ForegroundColor Green
$GrpCreated++
} catch {
Write-Host " [!] FEHLER Gruppe '$($Group.Name)': $($_.Exception.Message)" -ForegroundColor Red
$GrpError++
}
} catch {
try {
New-ADGroup `
-Name $Group.Name `
-SamAccountName $Group.Name `
-GroupScope Global `
-GroupCategory Security `
-Description $Group.Description `
-Path "OU=Gruppen,$DomainDN" `
-ErrorAction Stop
Write-Host " [+] Gruppe erstellt: $($Group.Name)" -ForegroundColor Green
$GrpCreated++
} catch {
if ($_.Exception.Message -like "*already exists*" -or $_.Exception.Message -like "*existiert bereits*") {
Write-Host " [~] Gruppe existiert bereits: $($Group.Name)" -ForegroundColor Gray
$GrpExists++
} else {
Write-Host " [!] FEHLER Gruppe '$($Group.Name)': $($_.Exception.Message)" -ForegroundColor Red
$GrpError++
}
}
}
}
# ============================================================
# 3. BENUTZER
# ============================================================
Write-Host "`n[3/5] Erstelle Benutzer..." -ForegroundColor Yellow
$Users = @(
# --- Geschäftsführung (1 MA) ---
@{ Vorname="Thomas"; Nachname="Maier"; Abt="Geschaeftsfuehrung"; OU="OU=Geschaeftsfuehrung,$DomainDN"; Gruppen=@("GRP-GF-VOLLZUGRIFF","GRP-GF-VPN","GRP-GF-ERP","GRP-ALL-EMAIL"); Title="Geschäftsführer" },
# --- Sales / Vertrieb (2 MA) ---
@{ Vorname="Anna"; Nachname="Huber"; Abt="Sales"; OU="OU=Sales,$DomainDN"; Gruppen=@("GRP-SALES-ERP","GRP-SALES-VPN","GRP-SALES-FILES","GRP-ALL-EMAIL"); Title="Vertriebsmitarbeiterin" },
@{ Vorname="Markus"; Nachname="Reiter"; Abt="Sales"; OU="OU=Sales,$DomainDN"; Gruppen=@("GRP-SALES-ERP","GRP-SALES-VPN","GRP-SALES-FILES","GRP-ALL-EMAIL"); Title="Vertriebsmitarbeiter" },
# --- Marketing (2 MA) ---
@{ Vorname="Julia"; Nachname="Wagner"; Abt="Marketing"; OU="OU=Marketing,$DomainDN"; Gruppen=@("GRP-MKT-FILES","GRP-ALL-EMAIL"); Title="Marketingmitarbeiterin" },
@{ Vorname="Stefan"; Nachname="Bauer"; Abt="Marketing"; OU="OU=Marketing,$DomainDN"; Gruppen=@("GRP-MKT-FILES","GRP-ALL-EMAIL"); Title="Marketingmitarbeiter" },
# --- Service / Technik (25 MA) ---
@{ Vorname="Klaus"; Nachname="Schneider"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
@{ Vorname="Peter"; Nachname="Fischer"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
@{ Vorname="Michael"; Nachname="Weber"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
@{ Vorname="Andreas"; Nachname="Müller"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
@{ Vorname="Christian";Nachname="Schmidt"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
@{ Vorname="David"; Nachname="Hoffmann"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Felix"; Nachname="Schäfer"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Georg"; Nachname="Koch"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Hans"; Nachname="Becker"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Josef"; Nachname="Wolf"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Karl"; Nachname="Braun"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Leon"; Nachname="Schwarz"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Martin"; Nachname="Zimmermann";Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Nico"; Nachname="Krause"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Oliver"; Nachname="Richter"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Paul"; Nachname="Klein"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Robert"; Nachname="Werner"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Simon"; Nachname="Neumann"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Thomas"; Nachname="Lange"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Ulrich"; Nachname="Scholz"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Viktor"; Nachname="Peters"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Walter"; Nachname="Vogel"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Xaver"; Nachname="Keller"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Yannick"; Nachname="Frank"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }
)
$UserCreatedCount = 0; $UserExistsCount = 0; $UserErrorCount = 0
foreach ($User in $Users) {
$Sam = ($User.Vorname + "." + $User.Nachname).ToLower()
$Sam = $Sam -replace "ä","ae" -replace "ö","oe" -replace "ü","ue" -replace "ß","ss"
$UPN = "$Sam@$Domain"
$EmailAddr = "$Sam@$MailDomain"
$UserCreated = $false
try {
Get-ADUser -Identity $Sam -ErrorAction Stop | Out-Null
Write-Host " [~] User existiert bereits: $Sam" -ForegroundColor Gray
$UserExistsCount++
$UserCreated = $true
} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
try {
New-ADUser `
-SamAccountName $Sam `
-UserPrincipalName $UPN `
-GivenName $User.Vorname `
-Surname $User.Nachname `
-Name "$($User.Vorname) $($User.Nachname)" `
-DisplayName "$($User.Vorname) $($User.Nachname)" `
-Department $User.Abt `
-Title $User.Title `
-EmailAddress $EmailAddr `
-Path $User.OU `
-AccountPassword $DefaultPW `
-PasswordNeverExpires $false `
-ChangePasswordAtLogon $true `
-Enabled $true `
-ErrorAction Stop
Write-Host " [+] User erstellt: $Sam ($($User.Abt))" -ForegroundColor Green
$UserCreatedCount++
$UserCreated = $true
} catch {
Write-Host " [!] FEHLER User '$Sam': $($_.Exception.Message)" -ForegroundColor Red
$UserErrorCount++
}
} catch {
Write-Host " [!] FEHLER beim Pruefen von User '$Sam': $($_.Exception.Message)" -ForegroundColor Red
$UserErrorCount++
}
if ($UserCreated) {
foreach ($Gruppe in $User.Gruppen) {
try {
$UserObj = Get-ADUser -Identity $Sam -ErrorAction Stop
Add-ADGroupMember -Identity $Gruppe -Members $UserObj -ErrorAction Stop
} catch {
if ($_.Exception.Message -like "*already a member*" -or $_.Exception.Message -like "*ist bereits Mitglied*" -or $_.Exception.Message -like "*member already exists*") {
# Stille Warnung
} else {
Write-Warning " Gruppe '$Gruppe' -> '$Sam': $($_.Exception.Message)"
}
}
}
}
}
# ============================================================
# 4. SERVICE-ACCOUNT FÜR MAILSERVER (LDAP-Bind)
# ============================================================
Write-Host "`n[4/5] Erstelle Service-Account für Mailserver..." -ForegroundColor Yellow
$SvcSam = "svc-mailserver"
$SvcUPN = "$SvcSam@$Domain"
$SvcPW = ConvertTo-SecureString 'Mail$3rv!ceAcc2026' -AsPlainText -Force
try {
Get-ADUser -Identity $SvcSam -ErrorAction Stop | Out-Null
Write-Host " [~] Service-Account existiert bereits: $SvcSam" -ForegroundColor Gray
} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
try {
New-ADUser `
-SamAccountName $SvcSam `
-UserPrincipalName $SvcUPN `
-Name "Mailserver Service Account" `
-DisplayName "Mailserver Service Account" `
-Description "Service-Account fuer Docker-Mailserver LDAP-Bind" `
-Path "OU=Server,$DomainDN" `
-AccountPassword $SvcPW `
-PasswordNeverExpires $true `
-ChangePasswordAtLogon $false `
-CannotChangePassword $true `
-Enabled $true `
-ErrorAction Stop
Write-Host " [+] Service-Account erstellt: $SvcSam" -ForegroundColor Green
} catch {
Write-Host " [!] FEHLER Service-Account '$SvcSam': $($_.Exception.Message)" -ForegroundColor Red
}
} catch {
Write-Host " [!] FEHLER beim Pruefen von Service-Account '$SvcSam': $($_.Exception.Message)" -ForegroundColor Red
}
# ============================================================
# 5. GRUPPENRICHTLINIEN (GPOs)
# ============================================================
Write-Host "`n[5/5] Konfiguriere Gruppenrichtlinien (GPOs)..." -ForegroundColor Yellow
$GpoSecurityName = "ByteTrail_Base_Security"
$GpoDrivesName = "ByteTrail_Mapped_Drives"
# 5.1 Basis-Sicherheit (Domänenweit)
if (!(Get-GPO -Name $GpoSecurityName -ErrorAction SilentlyContinue)) {
try {
$gpoSec = New-GPO -Name $GpoSecurityName -Comment "Basis-Sicherheitsrichtlinien (Bildschirmsperre etc.)"
New-GPLink -Name $GpoSecurityName -Target $DomainDN -LinkEnabled Yes | Out-Null
# Automatische Bildschirmsperre nach 15 Minuten (900 Sekunden) erzwingen
Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveActive" -Type String -Value "1" | Out-Null
Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaverIsSecure" -Type String -Value "1" | Out-Null
Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveTimeOut" -Type String -Value "900" | Out-Null
Write-Host " [+] GPO '$GpoSecurityName' erstellt, konfiguriert und mit Domäne verknüpft." -ForegroundColor Green
} catch {
Write-Host " [!] Fehler bei GPO '$GpoSecurityName': $($_.Exception.Message)" -ForegroundColor Red
}
} else {
Write-Host " [~] GPO '$GpoSecurityName' existiert bereits." -ForegroundColor Gray
}
# 5.2 Netzlaufwerke GPO-Hülle (Verknüpft mit allen relevanten OUs)
if (!(Get-GPO -Name $GpoDrivesName -ErrorAction SilentlyContinue)) {
try {
New-GPO -Name $GpoDrivesName -Comment "Automatische Netzlaufwerk-Zuweisungen fuer Fachabteilungen" | Out-Null
# Mit den OUs aus Skript 1 verknüpfen
New-GPLink -Name $GpoDrivesName -Target "OU=Geschaeftsfuehrung,$DomainDN" -LinkEnabled Yes | Out-Null
New-GPLink -Name $GpoDrivesName -Target "OU=Sales,$DomainDN" -LinkEnabled Yes | Out-Null
New-GPLink -Name $GpoDrivesName -Target "OU=Marketing,$DomainDN" -LinkEnabled Yes | Out-Null
New-GPLink -Name $GpoDrivesName -Target "OU=Service,$DomainDN" -LinkEnabled Yes | Out-Null
Write-Host " [+] GPO '$GpoDrivesName' erstellt und mit OUs verknüpft." -ForegroundColor Green
} catch {
Write-Host " [!] Fehler bei GPO '$GpoDrivesName': $($_.Exception.Message)" -ForegroundColor Red
}
} else {
Write-Host " [~] GPO '$GpoDrivesName' existiert bereits." -ForegroundColor Gray
}
# ============================================================
# ZUSAMMENFASSUNG
# ============================================================
Write-Host "`n=== Setup abgeschlossen ===" -ForegroundColor Cyan
Write-Host "OUs: $OUCreated neu, $OUExists vorhanden, $OUError Fehler" -ForegroundColor White
Write-Host "Gruppen: $GrpCreated neu, $GrpExists vorhanden, $GrpError Fehler" -ForegroundColor White
Write-Host "User: $UserCreatedCount neu erstellt, $UserExistsCount bereits vorhanden, $UserErrorCount Fehler (+ 1 Service-Account)" -ForegroundColor White
Write-Host "GPOs: Erstellt und verknuepft (Sicherheit & Laufwerke)" -ForegroundColor White
Write-Host "`nStandard-Passwort User: ByteTrail2026! (Benutzer muessen es beim ersten Login aendern)" -ForegroundColor Yellow
Write-Host "Service-Account Mailserver: $SvcSam / Mail`$3rv!ceAcc2026" -ForegroundColor Yellow
Write-Host "Mail-Domain: $MailDomain" -ForegroundColor White
Write-Host "AD-Domaene: $Domain" -ForegroundColor White
Write-Host ""
PPIT_output.mp4
LFS
BIN
View File
Binary file not shown.