From aa9bd915836ea2d6ad6159cfb1a65450226197a5 Mon Sep 17 00:00:00 2001 From: blackicedbear Date: Mon, 25 May 2026 14:43:12 +0200 Subject: [PATCH] first commit --- .gitattributes | 1 + Configure-ByteTrail-FileServer.ps1 | 374 ++++++++++++++++++++++++++ Deploy-ByteTrail-AD-Environment.ps1 | 397 ++++++++++++++++++++++++++++ PPIT_output.mp4 | 3 + 4 files changed, 775 insertions(+) create mode 100644 .gitattributes create mode 100644 Configure-ByteTrail-FileServer.ps1 create mode 100644 Deploy-ByteTrail-AD-Environment.ps1 create mode 100644 PPIT_output.mp4 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9942ba2 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.mp4 filter=lfs diff=lfs merge=lfs -text diff --git a/Configure-ByteTrail-FileServer.ps1 b/Configure-ByteTrail-FileServer.ps1 new file mode 100644 index 0000000..5033907 --- /dev/null +++ b/Configure-ByteTrail-FileServer.ps1 @@ -0,0 +1,374 @@ +# ============================================================ +# ByteTrail GmbH – GPO, File Server & DFS Namespace Setup Script +# Domäne: bytetrail.local +# Ausführen auf: Domain Controller / Fileserver als Domain Admin +# ============================================================ + +Import-Module GroupPolicy -ErrorAction Stop + +#region KONFIGURATION +$Domain = "bytetrail.local" +$DomainDN = "DC=bytetrail,DC=local" +$NetBIOSDom = "BYTETRAIL" +$MailDomain = "bytetrail.at" +$FreigabePfad = "D:\Freigabe" +$DfsRootPfad = "D:\DfsRoot" # NEU für Variante 1: Separater, leerer Pfad für den DFS-Root +#endregion + +Write-Host "`n=== ByteTrail GPO, Fileserver & DFS Setup gestartet ===" -ForegroundColor Cyan + +# Dynamische Namensauflösung via SID +try { + Import-Module ActiveDirectory -ErrorAction Stop + + $DomainSID = (Get-ADDomain).DomainSID.Value + + $DomainAdminsSID = "$DomainSID-512" + $DomainUsersSID = "$DomainSID-513" + + $DomainAdminsName = (Get-ADGroup -Identity $DomainAdminsSID).Name + $DomainUsersName = (Get-ADGroup -Identity $DomainUsersSID).Name +} +catch { + Write-Host " [!] Fehler beim Auflösen der Standardgruppen: $($_.Exception.Message)" -ForegroundColor Red + return +} + +# ============================================================ +# TEIL 1: GRUPPENRICHTLINIEN (GPOs) SKELETT +# ============================================================ +Write-Host "`n[1/4] Konfiguriere Gruppenrichtlinien (GPOs)..." -ForegroundColor Yellow + +$GpoSecurityName = "ByteTrail_Base_Security" +$GpoDrivesName = "ByteTrail_Mapped_Drives" + +# 1.1 Basis-Sicherheit (Domänenweit) +if (!(Get-GPO -Name $GpoSecurityName -ErrorAction SilentlyContinue)) { + try { + $gpoSec = New-GPO -Name $GpoSecurityName -Comment "Basis-Sicherheitsrichtlinien (Bildschirmsperre etc.)" + New-GPLink -Name $GpoSecurityName -Target $DomainDN -LinkEnabled Yes | Out-Null + + Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveActive" -Type String -Value "1" | Out-Null + Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaverIsSecure" -Type String -Value "1" | Out-Null + Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveTimeOut" -Type String -Value "900" | Out-Null + + Write-Host " [+] GPO '$GpoSecurityName' erstellt, konfiguriert und mit Domäne verknüpft." -ForegroundColor Green + } catch { + Write-Host " [!] Fehler bei GPO '$GpoSecurityName': $($_.Exception.Message)" -ForegroundColor Red + } +} else { + Write-Host " [~] GPO '$GpoSecurityName' existiert bereits." -ForegroundColor Gray +} + +# 1.2 Netzlaufwerke GPO-Hülle +if (!(Get-GPO -Name $GpoDrivesName -ErrorAction SilentlyContinue)) { + try { + New-GPO -Name $GpoDrivesName -Comment "Automatische Netzlaufwerk-Zuweisungen fuer Fachabteilungen" | Out-Null + + New-GPLink -Name $GpoDrivesName -Target "OU=Geschaeftsfuehrung,$DomainDN" -LinkEnabled Yes | Out-Null + New-GPLink -Name $GpoDrivesName -Target "OU=Sales,$DomainDN" -LinkEnabled Yes | Out-Null + New-GPLink -Name $GpoDrivesName -Target "OU=Marketing,$DomainDN" -LinkEnabled Yes | Out-Null + New-GPLink -Name $GpoDrivesName -Target "OU=Service,$DomainDN" -LinkEnabled Yes | Out-Null + + Write-Host " [+] GPO '$GpoDrivesName' erstellt und mit OUs verknüpft." -ForegroundColor Green + } catch { + Write-Host " [!] Fehler bei GPO '$GpoDrivesName': $($_.Exception.Message)" -ForegroundColor Red + } +} else { + Write-Host " [~] GPO '$GpoDrivesName' existiert bereits." -ForegroundColor Gray +} + + +# ============================================================ +# TEIL 2: FILESERVER ORDNER & BERECHTIGUNGEN (NTFS) +# ============================================================ +Write-Host "`n[2/4] Konfiguriere Ordnerstruktur & NTFS-Berechtigungen auf $FreigabePfad..." -ForegroundColor Yellow + +# Haupt-Datenverzeichnis +if (!(Test-Path $FreigabePfad)) { New-Item -Path $FreigabePfad -ItemType Directory -Force | Out-Null } + +try { + Get-SmbShare -Name "Freigabe" -ErrorAction Stop | Out-Null + Write-Host " [~] SMB-Freigabe 'Freigabe' existiert bereits." -ForegroundColor Gray +} catch { + New-SmbShare -Name "Freigabe" -Path $FreigabePfad -FullAccess "$NetBIOSDom\$DomainAdminsName" -ChangeAccess "$NetBIOSDom\$DomainUsersName" | Out-Null + Write-Host " [+] SMB-Freigabe 'Freigabe' erstellt." -ForegroundColor Green +} + +# NEU für Variante 1: Separates Verzeichnis für den DFS-Root (Muss physisch komplett leer bleiben!) +if (!(Test-Path $DfsRootPfad)) { New-Item -Path $DfsRootPfad -ItemType Directory -Force | Out-Null } + +try { + Get-SmbShare -Name "DfsRoot$" -ErrorAction Stop | Out-Null + Write-Host " [~] SMB-Freigabe 'DfsRoot$' existiert bereits." -ForegroundColor Gray +} catch { + # Versteckte Freigabe für das DFS-Root-Skelett + New-SmbShare -Name "DfsRoot$" -Path $DfsRootPfad -FullAccess "$NetBIOSDom\$DomainAdminsName" -ReadAccess "$NetBIOSDom\$DomainUsersName" | Out-Null + Write-Host " [+] SMB-Freigabe 'DfsRoot$' für DFS erstellt." -ForegroundColor Green +} + +$AclBase = Get-Acl $FreigabePfad +$AclBase.SetAccessRuleProtection($true, $true) +Set-Acl -Path $FreigabePfad -AclObject $AclBase + +$Folders = @( + @{ Name = "Geschaeftsfuehrung"; Group = "GRP-GF-VOLLZUGRIFF" } + @{ Name = "Sales"; Group = "GRP-SALES-FILES" } + @{ Name = "Marketing"; Group = "GRP-MKT-FILES" } + @{ Name = "Service"; Group = "GRP-SVC-FILES" } +) + +$RightsModify = [System.Security.AccessControl.FileSystemRights]::Modify +$RightsRead = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute +$RightsFull = [System.Security.AccessControl.FileSystemRights]::FullControl +$Inheritance = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit +$Propagation = [System.Security.AccessControl.PropagationFlags]::None +$Allow = [System.Security.AccessControl.AccessControlType]::Allow + +$RuleAdmin = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetBIOSDom\GRP-ADMINS", $RightsFull, $Inheritance, $Propagation, $Allow) +$RuleSystem = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\SYSTEM", $RightsFull, $Inheritance, $Propagation, $Allow) # Wichtig für Backup/Windows-Dienste +$RuleGFRead = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetBIOSDom\GRP-GF-VOLLZUGRIFF", $RightsRead, $Inheritance, $Propagation, $Allow) + +foreach ($Folder in $Folders) { + $FolderPath = "$FreigabePfad\$($Folder.Name)" + if (!(Test-Path $FolderPath)) { New-Item -Path $FolderPath -ItemType Directory -Force | Out-Null } + + $Acl = Get-Acl -Path $FolderPath + $Acl.SetAccessRuleProtection($true, $false) + $Acl.AddAccessRule($RuleAdmin) + $Acl.AddAccessRule($RuleSystem) + + $RuleDept = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetBIOSDom\$($Folder.Group)", $RightsModify, $Inheritance, $Propagation, $Allow) + $Acl.AddAccessRule($RuleDept) + + if ($Folder.Name -ne "Geschaeftsfuehrung") { + $Acl.AddAccessRule($RuleGFRead) + } + + Set-Acl -Path $FolderPath -AclObject $Acl + Write-Host " [+] Rechte für Ordner '$($Folder.Name)' erfolgreich gesetzt." -ForegroundColor Green +} + +$AustauschPath = "$FreigabePfad\Austausch" +if (!(Test-Path $AustauschPath)) { New-Item -Path $AustauschPath -ItemType Directory -Force | Out-Null } +$AclAustausch = Get-Acl -Path $AustauschPath +$AclAustausch.SetAccessRuleProtection($true, $false) + +$RuleAll = New-Object System.Security.AccessControl.FileSystemAccessRule("$NetBIOSDom\$DomainUsersName", $RightsModify, $Inheritance, $Propagation, $Allow) +$AclAustausch.AddAccessRule($RuleAll) +$AclAustausch.AddAccessRule($RuleAdmin) +$AclAustausch.AddAccessRule($RuleSystem) +Set-Acl -Path $AustauschPath -AclObject $AclAustausch +Write-Host " [+] Rechte für Ordner 'Austausch' erfolgreich gesetzt." -ForegroundColor Green + + +# ============================================================ +# TEIL 3: DFS-NAMESPACES (Kollisionsfrei nach Variante 1) +# ============================================================ +Write-Host "`n[3/4] Konfiguriere DFS-Namespace..." -ForegroundColor Yellow + +if (!(Get-WindowsFeature -Name FS-DFS-Namespace).Installed) { + Write-Host " [..] Installiere DFS-Namespace Server-Rolle..." -ForegroundColor Gray + Install-WindowsFeature FS-DFS-Namespace -IncludeManagementTools | Out-Null +} +Import-Module DFSN + +$NamespaceRoot = "\\$Domain\Daten" +$LocalServerFQDN = "$env:COMPUTERNAME.$Domain" + +# DFS-Root erstellen (Verweist nun exklusiv auf die leere Freigabe) +try { + Get-DfsnRoot -Path $NamespaceRoot -ErrorAction Stop | Out-Null + Write-Host " [~] DFS-Root '$NamespaceRoot' existiert bereits." -ForegroundColor Gray +} catch { + New-DfsnRoot -Path $NamespaceRoot -Type DomainV2 -TargetPath "\\$LocalServerFQDN\DfsRoot$" -ErrorAction Stop | Out-Null + Write-Host " [+] DFS-Root '$NamespaceRoot' erfolgreich erstellt." -ForegroundColor Green +} + +# DFS-Ordner (Links) im leeren Namespace-Verzeichnis einrichten +foreach ($Folder in $Folders) { + $DfsFolderPath = "$NamespaceRoot\$($Folder.Name)" + try { + Get-DfsnFolder -Path $DfsFolderPath -ErrorAction Stop | Out-Null + } catch { + New-DfsnFolder -Path $DfsFolderPath -TargetPath "\\$LocalServerFQDN\Freigabe\$($Folder.Name)" -ErrorAction Stop | Out-Null + Write-Host " [+] DFS Link erstellt: $($Folder.Name) -> $NamespaceRoot\$($Folder.Name)" -ForegroundColor Green + } +} + +# DFS Link für den öffentlichen Austausch-Ordner +$DfsAustauschPath = "$NamespaceRoot\Austausch" +try { Get-DfsnFolder -Path $DfsAustauschPath -ErrorAction Stop | Out-Null } catch { + New-DfsnFolder -Path $DfsAustauschPath -TargetPath "\\$LocalServerFQDN\Freigabe\Austausch" -ErrorAction Stop | Out-Null + Write-Host " [+] DFS Link erstellt: Austausch -> $DfsAustauschPath" -ForegroundColor Green +} + + +# ============================================================ +# TEIL 4: GPP DRIVE MAPS (EMPFOHLENE VARIANTE) +# ============================================================ +Write-Host "`n[4/4] Konfiguriere GPP Drive Maps..." -ForegroundColor Yellow + +$Gpo = Get-GPO -Name $GpoDrivesName +$GpoGuid = $Gpo.Id.Guid + +# SYSVOL Pfade +$GpoRoot = "\\$Domain\SYSVOL\$Domain\Policies\{$GpoGuid}" +$PreferencesPath = "$GpoRoot\User\Preferences" +$DriveMapPath = "$PreferencesPath\Drives" + +# Ordner erzeugen +New-Item -Path $DriveMapPath -ItemType Directory -Force | Out-Null + +# ============================================================ +# DRIVE MAP XML +# ============================================================ + +$XmlContent = @" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +"@ + +# XML speichern +$XmlContent | Out-File "$DriveMapPath\Drives.xml" -Encoding UTF8 -Force + +# ============================================================ +# GPT.INI Version erhöhen +# ============================================================ + +$GptIni = "$GpoRoot\GPT.INI" + +if (Test-Path $GptIni) { + + $Content = Get-Content $GptIni + + $VersionLine = $Content | Where-Object { $_ -match "^Version=" } + + if ($VersionLine) { + + $CurrentVersion = [int]($VersionLine -replace "Version=", "") + $NewVersion = $CurrentVersion + 1 + + $Content = $Content -replace "Version=$CurrentVersion", "Version=$NewVersion" + + $Content | Set-Content $GptIni -Encoding ASCII + } +} + +# ============================================================ +# Netzwerk-Wartezeit aktivieren +# ============================================================ + +Set-GPRegistryValue ` + -Name $GpoSecurityName ` + -Key "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" ` + -ValueName "SyncForegroundPolicy" ` + -Type DWord ` + -Value 1 | Out-Null + +Write-Host " [+] GPP Drive Maps erfolgreich konfiguriert." -ForegroundColor Green + +Write-Host "`n=== Setup erfolgreich abgeschlossen ===" -ForegroundColor Cyan \ No newline at end of file diff --git a/Deploy-ByteTrail-AD-Environment.ps1 b/Deploy-ByteTrail-AD-Environment.ps1 new file mode 100644 index 0000000..8ccbfbe --- /dev/null +++ b/Deploy-ByteTrail-AD-Environment.ps1 @@ -0,0 +1,397 @@ +# ============================================================ +# ByteTrail GmbH – Active Directory & GPO Setup Script +# Domäne: bytetrail.local +# Erstellt: Team 3 VZ | FH Burgenland | SS 2026 +# Ausführen auf: SRV-DC01 als Domain Admin +# ============================================================ + +Import-Module GroupPolicy -ErrorAction Stop + +#region KONFIGURATION +$Domain = "bytetrail.local" +$DomainDN = "DC=bytetrail,DC=local" +$NetBIOSDom = "BYTETRAIL" # NetBIOS Name für Rechtevergabe/Fileserver +$MailDomain = "bytetrail.at" +$DefaultPW = ConvertTo-SecureString "ByteTrail2026!" -AsPlainText -Force +#endregion + +Write-Host "`n=== ByteTrail AD & GPO Setup gestartet ===" -ForegroundColor Cyan + +# ============================================================ +# DIAGNOSE - Pruefen ob AD bereit ist +# ============================================================ +Write-Host "`n[0/5] AD-Diagnose..." -ForegroundColor Yellow + +# ADWS-Dienst pruefen +$adws = Get-Service ADWS -ErrorAction SilentlyContinue +if ($adws) { + if ($adws.Status -ne 'Running') { + Write-Host " [!] ADWS-Dienst ist NICHT gestartet (Status: $($adws.Status)). Starte..." -ForegroundColor Red + try { Start-Service ADWS -ErrorAction Stop; Start-Sleep -Seconds 5 } + catch { Write-Host " [!] ADWS konnte nicht gestartet werden: $_" -ForegroundColor Red; exit 1 } + } + Write-Host " [OK] ADWS-Dienst laeuft" -ForegroundColor Green +} else { + Write-Host " [!] ADWS-Dienst nicht gefunden - ist AD DS installiert?" -ForegroundColor Red + exit 1 +} + +# AD erreichbar? +try { + $ADDomain = Get-ADDomain -ErrorAction Stop + Write-Host " [OK] AD-Domaene: $($ADDomain.DNSRoot)" -ForegroundColor Green + Write-Host " [OK] Naming Context: $($ADDomain.DistinguishedName)" -ForegroundColor Green + Write-Host " [OK] PDC Emulator: $($ADDomain.PDCEmulator)" -ForegroundColor Green + Write-Host " [OK] Infrastruktur Master: $($ADDomain.InfrastructureMaster)" -ForegroundColor Green + + # RODC-Check + $dc = Get-ADDomainController -ErrorAction Stop + if ($dc.IsReadOnly) { + Write-Host " [!] ACHTUNG: Dieser DC ist ein READ-ONLY DC (RODC) - Schreiboperationen werden fehlschlagen!" -ForegroundColor Red + exit 1 + } + Write-Host " [OK] DC: $($dc.HostName) (Beschreibbar)" -ForegroundColor Green +} catch { + Write-Host " [!] AD nicht erreichbar: $($_.Exception.Message)" -ForegroundColor Red + Write-Host " [!] InnerException: $($_.Exception.InnerException)" -ForegroundColor Red + Write-Host "`nMoegliche Loesungen:" -ForegroundColor Yellow + Write-Host " 1. Server neustarten (nach DC-Promotion noetig)" -ForegroundColor Yellow + Write-Host " 2. Restart-Service ADWS" -ForegroundColor Yellow + Write-Host " 3. dcdiag /v ausfuehren fuer Details" -ForegroundColor Yellow + exit 1 +} + +# Quick-Write-Test: Versuche ein Dummy-Objekt zu erstellen und loeschen +Write-Host " [..] Schreibtest..." -ForegroundColor Gray +try { + $testOUName = "_ByteTrailSetupTest" + $testOU = "OU=$testOUName,$DomainDN" + + # Falls vom letzten Lauf noch vorhanden, erst loeschen + try { + Set-ADOrganizationalUnit -Identity $testOU -ProtectedFromAccidentalDeletion $false -ErrorAction Stop + Remove-ADOrganizationalUnit -Identity $testOU -Confirm:$false -Recursive -ErrorAction Stop + } catch { } + + New-ADOrganizationalUnit -Name $testOUName -Path $DomainDN -ErrorAction Stop + Set-ADOrganizationalUnit -Identity $testOU -ProtectedFromAccidentalDeletion $false -ErrorAction Stop + Remove-ADOrganizationalUnit -Identity $testOU -Confirm:$false -Recursive -ErrorAction Stop + Write-Host " [OK] Schreibzugriff funktioniert" -ForegroundColor Green +} catch { + Write-Host " [!] SCHREIBTEST FEHLGESCHLAGEN!" -ForegroundColor Red + Write-Host " [!] Fehler: $($_.Exception.Message)" -ForegroundColor Red + if ($_.Exception.InnerException) { + Write-Host " [!] Detail: $($_.Exception.InnerException.Message)" -ForegroundColor Red + } + Write-Host "`nMoegliche Ursachen:" -ForegroundColor Yellow + Write-Host " 1. Server wurde nach DC-Promotion noch nicht neugestartet" -ForegroundColor Yellow + Write-Host " 2. AD DS Datenbank nicht bereit - 'Restart-Service NTDS' oder Server neustarten" -ForegroundColor Yellow + Write-Host " 3. Dieses Konto hat keine Schreibrechte (als Domain Admin ausfuehren)" -ForegroundColor Yellow + Write-Host " 4. dcdiag /v ausfuehren fuer Details" -ForegroundColor Yellow + $antwort = Read-Host "`nTrotzdem fortfahren? (j/n)" + if ($antwort -ne 'j') { exit 1 } +} +Write-Host "" + +# ============================================================ +# 1. OU-STRUKTUR +# ============================================================ +Write-Host "[1/5] Erstelle OU-Struktur..." -ForegroundColor Yellow +$OUs = @( + "OU=Geschaeftsfuehrung,$DomainDN", + "OU=Sales,$DomainDN", + "OU=Marketing,$DomainDN", + "OU=Service,$DomainDN", + "OU=Server,$DomainDN", + "OU=Gruppen,$DomainDN" +) +$OUCreated = 0; $OUExists = 0; $OUError = 0 + +foreach ($OU in $OUs) { + $OUName = ($OU -split ",")[0] -replace "OU=", "" + try { + Get-ADOrganizationalUnit -Identity $OU -ErrorAction Stop | Out-Null + Write-Host " [~] OU existiert bereits: $OUName" -ForegroundColor Gray + $OUExists++ + } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { + try { + New-ADOrganizationalUnit -Name $OUName -Path $DomainDN -ProtectedFromAccidentalDeletion $true -ErrorAction Stop + Write-Host " [+] OU erstellt: $OUName" -ForegroundColor Green + $OUCreated++ + } catch { + Write-Host " [!] FEHLER OU '$OUName': $($_.Exception.Message)" -ForegroundColor Red + $OUError++ + } + } catch { + try { + New-ADOrganizationalUnit -Name $OUName -Path $DomainDN -ProtectedFromAccidentalDeletion $true -ErrorAction Stop + Write-Host " [+] OU erstellt: $OUName" -ForegroundColor Green + $OUCreated++ + } catch { + if ($_.Exception.Message -like "*already exists*" -or $_.Exception.Message -like "*existiert bereits*") { + Write-Host " [~] OU existiert bereits: $OUName" -ForegroundColor Gray + $OUExists++ + } else { + Write-Host " [!] FEHLER OU '$OUName': $($_.Exception.Message)" -ForegroundColor Red + $OUError++ + } + } + } +} + +# ============================================================ +# 2. AD-GRUPPEN +# ============================================================ +Write-Host "`n[2/5] Erstelle AD-Gruppen..." -ForegroundColor Yellow +$Groups = @( + @{ Name = 'GRP-GF-VOLLZUGRIFF'; Description = 'Geschaeftsfuehrung - Vollzugriff' } + @{ Name = 'GRP-GF-VPN'; Description = 'Geschaeftsfuehrung - VPN-Zugang' } + @{ Name = 'GRP-GF-ERP'; Description = 'Geschaeftsfuehrung - ERP-Zugriff' } + @{ Name = 'GRP-SALES-ERP'; Description = 'Sales - ERP-Zugriff' } + @{ Name = 'GRP-SALES-VPN'; Description = 'Sales - VPN-Zugang' } + @{ Name = 'GRP-SALES-FILES'; Description = 'Sales - Dateifreigabe' } + @{ Name = 'GRP-MKT-FILES'; Description = 'Marketing - Dateifreigabe' } + @{ Name = 'GRP-SVC-FILES'; Description = 'Service/Technik - Dateifreigabe' } + @{ Name = 'GRP-SVC-ERP'; Description = 'Service/Technik - ERP-Zugriff (tlw.)' } + @{ Name = 'GRP-ALL-EMAIL'; Description = 'Alle Mitarbeiter - E-Mail' } + @{ Name = 'GRP-ADMINS'; Description = 'IT-Administratoren' } +) +$GrpCreated = 0; $GrpExists = 0; $GrpError = 0 + +foreach ($Group in $Groups) { + try { + Get-ADGroup -Identity $Group.Name -ErrorAction Stop | Out-Null + Write-Host " [~] Gruppe existiert bereits: $($Group.Name)" -ForegroundColor Gray + $GrpExists++ + } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { + try { + New-ADGroup ` + -Name $Group.Name ` + -SamAccountName $Group.Name ` + -GroupScope Global ` + -GroupCategory Security ` + -Description $Group.Description ` + -Path "OU=Gruppen,$DomainDN" ` + -ErrorAction Stop + Write-Host " [+] Gruppe erstellt: $($Group.Name)" -ForegroundColor Green + $GrpCreated++ + } catch { + Write-Host " [!] FEHLER Gruppe '$($Group.Name)': $($_.Exception.Message)" -ForegroundColor Red + $GrpError++ + } + } catch { + try { + New-ADGroup ` + -Name $Group.Name ` + -SamAccountName $Group.Name ` + -GroupScope Global ` + -GroupCategory Security ` + -Description $Group.Description ` + -Path "OU=Gruppen,$DomainDN" ` + -ErrorAction Stop + Write-Host " [+] Gruppe erstellt: $($Group.Name)" -ForegroundColor Green + $GrpCreated++ + } catch { + if ($_.Exception.Message -like "*already exists*" -or $_.Exception.Message -like "*existiert bereits*") { + Write-Host " [~] Gruppe existiert bereits: $($Group.Name)" -ForegroundColor Gray + $GrpExists++ + } else { + Write-Host " [!] FEHLER Gruppe '$($Group.Name)': $($_.Exception.Message)" -ForegroundColor Red + $GrpError++ + } + } + } +} + +# ============================================================ +# 3. BENUTZER +# ============================================================ +Write-Host "`n[3/5] Erstelle Benutzer..." -ForegroundColor Yellow +$Users = @( + # --- Geschäftsführung (1 MA) --- + @{ Vorname="Thomas"; Nachname="Maier"; Abt="Geschaeftsfuehrung"; OU="OU=Geschaeftsfuehrung,$DomainDN"; Gruppen=@("GRP-GF-VOLLZUGRIFF","GRP-GF-VPN","GRP-GF-ERP","GRP-ALL-EMAIL"); Title="Geschäftsführer" }, + # --- Sales / Vertrieb (2 MA) --- + @{ Vorname="Anna"; Nachname="Huber"; Abt="Sales"; OU="OU=Sales,$DomainDN"; Gruppen=@("GRP-SALES-ERP","GRP-SALES-VPN","GRP-SALES-FILES","GRP-ALL-EMAIL"); Title="Vertriebsmitarbeiterin" }, + @{ Vorname="Markus"; Nachname="Reiter"; Abt="Sales"; OU="OU=Sales,$DomainDN"; Gruppen=@("GRP-SALES-ERP","GRP-SALES-VPN","GRP-SALES-FILES","GRP-ALL-EMAIL"); Title="Vertriebsmitarbeiter" }, + # --- Marketing (2 MA) --- + @{ Vorname="Julia"; Nachname="Wagner"; Abt="Marketing"; OU="OU=Marketing,$DomainDN"; Gruppen=@("GRP-MKT-FILES","GRP-ALL-EMAIL"); Title="Marketingmitarbeiterin" }, + @{ Vorname="Stefan"; Nachname="Bauer"; Abt="Marketing"; OU="OU=Marketing,$DomainDN"; Gruppen=@("GRP-MKT-FILES","GRP-ALL-EMAIL"); Title="Marketingmitarbeiter" }, + # --- Service / Technik (25 MA) --- + @{ Vorname="Klaus"; Nachname="Schneider"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" }, + @{ Vorname="Peter"; Nachname="Fischer"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" }, + @{ Vorname="Michael"; Nachname="Weber"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" }, + @{ Vorname="Andreas"; Nachname="Müller"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" }, + @{ Vorname="Christian";Nachname="Schmidt"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" }, + @{ Vorname="David"; Nachname="Hoffmann"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Felix"; Nachname="Schäfer"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Georg"; Nachname="Koch"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Hans"; Nachname="Becker"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Josef"; Nachname="Wolf"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Karl"; Nachname="Braun"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Leon"; Nachname="Schwarz"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Martin"; Nachname="Zimmermann";Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Nico"; Nachname="Krause"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Oliver"; Nachname="Richter"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Paul"; Nachname="Klein"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Robert"; Nachname="Werner"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Simon"; Nachname="Neumann"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Thomas"; Nachname="Lange"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Ulrich"; Nachname="Scholz"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Viktor"; Nachname="Peters"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Walter"; Nachname="Vogel"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Xaver"; Nachname="Keller"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }, + @{ Vorname="Yannick"; Nachname="Frank"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" } +) + +$UserCreatedCount = 0; $UserExistsCount = 0; $UserErrorCount = 0 + +foreach ($User in $Users) { + $Sam = ($User.Vorname + "." + $User.Nachname).ToLower() + $Sam = $Sam -replace "ä","ae" -replace "ö","oe" -replace "ü","ue" -replace "ß","ss" + $UPN = "$Sam@$Domain" + $EmailAddr = "$Sam@$MailDomain" + $UserCreated = $false + + try { + Get-ADUser -Identity $Sam -ErrorAction Stop | Out-Null + Write-Host " [~] User existiert bereits: $Sam" -ForegroundColor Gray + $UserExistsCount++ + $UserCreated = $true + } catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { + try { + New-ADUser ` + -SamAccountName $Sam ` + -UserPrincipalName $UPN ` + -GivenName $User.Vorname ` + -Surname $User.Nachname ` + -Name "$($User.Vorname) $($User.Nachname)" ` + -DisplayName "$($User.Vorname) $($User.Nachname)" ` + -Department $User.Abt ` + -Title $User.Title ` + -EmailAddress $EmailAddr ` + -Path $User.OU ` + -AccountPassword $DefaultPW ` + -PasswordNeverExpires $false ` + -ChangePasswordAtLogon $true ` + -Enabled $true ` + -ErrorAction Stop + Write-Host " [+] User erstellt: $Sam ($($User.Abt))" -ForegroundColor Green + $UserCreatedCount++ + $UserCreated = $true + } catch { + Write-Host " [!] FEHLER User '$Sam': $($_.Exception.Message)" -ForegroundColor Red + $UserErrorCount++ + } + } catch { + Write-Host " [!] FEHLER beim Pruefen von User '$Sam': $($_.Exception.Message)" -ForegroundColor Red + $UserErrorCount++ + } + + if ($UserCreated) { + foreach ($Gruppe in $User.Gruppen) { + try { + $UserObj = Get-ADUser -Identity $Sam -ErrorAction Stop + Add-ADGroupMember -Identity $Gruppe -Members $UserObj -ErrorAction Stop + } catch { + if ($_.Exception.Message -like "*already a member*" -or $_.Exception.Message -like "*ist bereits Mitglied*" -or $_.Exception.Message -like "*member already exists*") { + # Stille Warnung + } else { + Write-Warning " Gruppe '$Gruppe' -> '$Sam': $($_.Exception.Message)" + } + } + } + } +} + +# ============================================================ +# 4. SERVICE-ACCOUNT FÜR MAILSERVER (LDAP-Bind) +# ============================================================ +Write-Host "`n[4/5] Erstelle Service-Account für Mailserver..." -ForegroundColor Yellow +$SvcSam = "svc-mailserver" +$SvcUPN = "$SvcSam@$Domain" +$SvcPW = ConvertTo-SecureString 'Mail$3rv!ceAcc2026' -AsPlainText -Force + +try { + Get-ADUser -Identity $SvcSam -ErrorAction Stop | Out-Null + Write-Host " [~] Service-Account existiert bereits: $SvcSam" -ForegroundColor Gray +} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] { + try { + New-ADUser ` + -SamAccountName $SvcSam ` + -UserPrincipalName $SvcUPN ` + -Name "Mailserver Service Account" ` + -DisplayName "Mailserver Service Account" ` + -Description "Service-Account fuer Docker-Mailserver LDAP-Bind" ` + -Path "OU=Server,$DomainDN" ` + -AccountPassword $SvcPW ` + -PasswordNeverExpires $true ` + -ChangePasswordAtLogon $false ` + -CannotChangePassword $true ` + -Enabled $true ` + -ErrorAction Stop + Write-Host " [+] Service-Account erstellt: $SvcSam" -ForegroundColor Green + } catch { + Write-Host " [!] FEHLER Service-Account '$SvcSam': $($_.Exception.Message)" -ForegroundColor Red + } +} catch { + Write-Host " [!] FEHLER beim Pruefen von Service-Account '$SvcSam': $($_.Exception.Message)" -ForegroundColor Red +} + +# ============================================================ +# 5. GRUPPENRICHTLINIEN (GPOs) +# ============================================================ +Write-Host "`n[5/5] Konfiguriere Gruppenrichtlinien (GPOs)..." -ForegroundColor Yellow +$GpoSecurityName = "ByteTrail_Base_Security" +$GpoDrivesName = "ByteTrail_Mapped_Drives" + +# 5.1 Basis-Sicherheit (Domänenweit) +if (!(Get-GPO -Name $GpoSecurityName -ErrorAction SilentlyContinue)) { + try { + $gpoSec = New-GPO -Name $GpoSecurityName -Comment "Basis-Sicherheitsrichtlinien (Bildschirmsperre etc.)" + New-GPLink -Name $GpoSecurityName -Target $DomainDN -LinkEnabled Yes | Out-Null + + # Automatische Bildschirmsperre nach 15 Minuten (900 Sekunden) erzwingen + Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveActive" -Type String -Value "1" | Out-Null + Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaverIsSecure" -Type String -Value "1" | Out-Null + Set-GPRegistryValue -Name $GpoSecurityName -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveTimeOut" -Type String -Value "900" | Out-Null + + Write-Host " [+] GPO '$GpoSecurityName' erstellt, konfiguriert und mit Domäne verknüpft." -ForegroundColor Green + } catch { + Write-Host " [!] Fehler bei GPO '$GpoSecurityName': $($_.Exception.Message)" -ForegroundColor Red + } +} else { + Write-Host " [~] GPO '$GpoSecurityName' existiert bereits." -ForegroundColor Gray +} + +# 5.2 Netzlaufwerke GPO-Hülle (Verknüpft mit allen relevanten OUs) +if (!(Get-GPO -Name $GpoDrivesName -ErrorAction SilentlyContinue)) { + try { + New-GPO -Name $GpoDrivesName -Comment "Automatische Netzlaufwerk-Zuweisungen fuer Fachabteilungen" | Out-Null + + # Mit den OUs aus Skript 1 verknüpfen + New-GPLink -Name $GpoDrivesName -Target "OU=Geschaeftsfuehrung,$DomainDN" -LinkEnabled Yes | Out-Null + New-GPLink -Name $GpoDrivesName -Target "OU=Sales,$DomainDN" -LinkEnabled Yes | Out-Null + New-GPLink -Name $GpoDrivesName -Target "OU=Marketing,$DomainDN" -LinkEnabled Yes | Out-Null + New-GPLink -Name $GpoDrivesName -Target "OU=Service,$DomainDN" -LinkEnabled Yes | Out-Null + + Write-Host " [+] GPO '$GpoDrivesName' erstellt und mit OUs verknüpft." -ForegroundColor Green + } catch { + Write-Host " [!] Fehler bei GPO '$GpoDrivesName': $($_.Exception.Message)" -ForegroundColor Red + } +} else { + Write-Host " [~] GPO '$GpoDrivesName' existiert bereits." -ForegroundColor Gray +} + +# ============================================================ +# ZUSAMMENFASSUNG +# ============================================================ +Write-Host "`n=== Setup abgeschlossen ===" -ForegroundColor Cyan +Write-Host "OUs: $OUCreated neu, $OUExists vorhanden, $OUError Fehler" -ForegroundColor White +Write-Host "Gruppen: $GrpCreated neu, $GrpExists vorhanden, $GrpError Fehler" -ForegroundColor White +Write-Host "User: $UserCreatedCount neu erstellt, $UserExistsCount bereits vorhanden, $UserErrorCount Fehler (+ 1 Service-Account)" -ForegroundColor White +Write-Host "GPOs: Erstellt und verknuepft (Sicherheit & Laufwerke)" -ForegroundColor White +Write-Host "`nStandard-Passwort User: ByteTrail2026! (Benutzer muessen es beim ersten Login aendern)" -ForegroundColor Yellow +Write-Host "Service-Account Mailserver: $SvcSam / Mail`$3rv!ceAcc2026" -ForegroundColor Yellow +Write-Host "Mail-Domain: $MailDomain" -ForegroundColor White +Write-Host "AD-Domaene: $Domain" -ForegroundColor White +Write-Host "" \ No newline at end of file diff --git a/PPIT_output.mp4 b/PPIT_output.mp4 new file mode 100644 index 0000000..9eda500 --- /dev/null +++ b/PPIT_output.mp4 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76d22899e50e0864a2b4b2cbe6bf4d5c226151bb22fc01ef43d8faf8d1ba4d6d +size 42362931