blackicedbear/dms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6db62b4ea91f50e61cc20aa1e5e434a7d52e3dfc
dms/Setup-ByteTrail-AD.ps1
T
nicolas 6db62b4ea9 error fix
2026-04-28 14:46:32 +02:00

309 lines
16 KiB
PowerShell
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ============================================================
# ByteTrail GmbH Active Directory Setup Script
# Domäne: bytetrail.local
# Erstellt: Team 3 VZ | FH Burgenland | SS 2026
# Ausführen auf: SRV-DC01 als Domain Admin
# ============================================================
#region KONFIGURATION
$Domain = "bytetrail.local"
$DomainDN = "DC=bytetrail,DC=local"
$MailDomain = "byte.trail"
$DefaultPW = ConvertTo-SecureString "ByteTrail2026!" -AsPlainText -Force
#endregion
Write-Host "`n=== ByteTrail AD Setup gestartet ===" -ForegroundColor Cyan
# ============================================================
# 1. OU-STRUKTUR
# ============================================================
Write-Host "`n[1/4] Erstelle OU-Struktur..." -ForegroundColor Yellow
$OUs = @(
"OU=Geschaeftsfuehrung,$DomainDN",
"OU=Sales,$DomainDN",
"OU=Marketing,$DomainDN",
"OU=Service,$DomainDN",
"OU=Server,$DomainDN",
"OU=Gruppen,$DomainDN"
)
foreach ($OU in $OUs) {
$OUName = ($OU -split ",")[0] -replace "OU=", ""
try {
$existing = Get-ADOrganizationalUnit -Identity $OU -Server $Domain -ErrorAction Stop
Write-Host " [~] OU existiert bereits: $OUName" -ForegroundColor Gray
} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
try {
New-ADOrganizationalUnit -Name $OUName -Path $DomainDN -ProtectedFromAccidentalDeletion $true -Server $Domain -ErrorAction Stop
Write-Host " [+] OU erstellt: $OUName" -ForegroundColor Green
} catch {
Write-Host " [!] FEHLER beim Erstellen von OU '$OUName': $_" -ForegroundColor Red
}
} catch {
# Anderer Fehler beim Pruefen - versuche trotzdem zu erstellen
try {
New-ADOrganizationalUnit -Name $OUName -Path $DomainDN -ProtectedFromAccidentalDeletion $true -Server $Domain -ErrorAction Stop
Write-Host " [+] OU erstellt: $OUName" -ForegroundColor Green
} catch {
Write-Host " [!] FEHLER beim Erstellen von OU '$OUName': $_" -ForegroundColor Red
}
}
}
# ============================================================
# 2. AD-GRUPPEN
# ============================================================
Write-Host "`n[2/4] Erstelle AD-Gruppen..." -ForegroundColor Yellow
$Groups = @(
@{ Name = 'GRP-GF-VOLLZUGRIFF'; Description = 'Geschaeftsfuehrung - Vollzugriff' }
@{ Name = 'GRP-GF-VPN'; Description = 'Geschaeftsfuehrung - VPN-Zugang' }
@{ Name = 'GRP-GF-ERP'; Description = 'Geschaeftsfuehrung - ERP-Zugriff' }
@{ Name = 'GRP-SALES-ERP'; Description = 'Sales - ERP-Zugriff' }
@{ Name = 'GRP-SALES-VPN'; Description = 'Sales - VPN-Zugang' }
@{ Name = 'GRP-SALES-FILES'; Description = 'Sales - Dateifreigabe' }
@{ Name = 'GRP-MKT-FILES'; Description = 'Marketing - Dateifreigabe' }
@{ Name = 'GRP-SVC-FILES'; Description = 'Service/Technik - Dateifreigabe' }
@{ Name = 'GRP-SVC-ERP'; Description = 'Service/Technik - ERP-Zugriff (tlw.)' }
@{ Name = 'GRP-ALL-EMAIL'; Description = 'Alle Mitarbeiter - E-Mail' }
@{ Name = 'GRP-ADMINS'; Description = 'IT-Administratoren' }
)
foreach ($Group in $Groups) {
try {
$existing = Get-ADGroup -Identity $Group.Name -Server $Domain -ErrorAction Stop
Write-Host " [~] Gruppe existiert bereits: $($Group.Name)" -ForegroundColor Gray
} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
try {
New-ADGroup `
-Name $Group.Name `
-SamAccountName $Group.Name `
-GroupScope Global `
-GroupCategory Security `
-Description $Group.Description `
-Path "OU=Gruppen,$DomainDN" `
-Server $Domain `
-ErrorAction Stop
Write-Host " [+] Gruppe erstellt: $($Group.Name)" -ForegroundColor Green
} catch {
Write-Host " [!] FEHLER beim Erstellen von Gruppe '$($Group.Name)': $_" -ForegroundColor Red
}
} catch {
try {
New-ADGroup `
-Name $Group.Name `
-SamAccountName $Group.Name `
-GroupScope Global `
-GroupCategory Security `
-Description $Group.Description `
-Path "OU=Gruppen,$DomainDN" `
-Server $Domain `
-ErrorAction Stop
Write-Host " [+] Gruppe erstellt: $($Group.Name)" -ForegroundColor Green
} catch {
Write-Host " [!] FEHLER beim Erstellen von Gruppe '$($Group.Name)': $_" -ForegroundColor Red
}
}
}
# ============================================================
# 3. BENUTZER
# ============================================================
Write-Host "`n[3/4] Erstelle Benutzer..." -ForegroundColor Yellow
# Schema: Vorname, Nachname, Abteilung, OU, Gruppen[]
$Users = @(
# --- Geschäftsführung (1 MA) ---
@{
Vorname = "Thomas"
Nachname = "Maier"
Abt = "Geschaeftsfuehrung"
OU = "OU=Geschaeftsfuehrung,$DomainDN"
Gruppen = @("GRP-GF-VOLLZUGRIFF","GRP-GF-VPN","GRP-GF-ERP","GRP-ALL-EMAIL")
Title = "Geschäftsführer"
},
# --- Sales / Vertrieb (2 MA) ---
@{
Vorname = "Anna"
Nachname = "Huber"
Abt = "Sales"
OU = "OU=Sales,$DomainDN"
Gruppen = @("GRP-SALES-ERP","GRP-SALES-VPN","GRP-SALES-FILES","GRP-ALL-EMAIL")
Title = "Vertriebsmitarbeiterin"
},
@{
Vorname = "Markus"
Nachname = "Reiter"
Abt = "Sales"
OU = "OU=Sales,$DomainDN"
Gruppen = @("GRP-SALES-ERP","GRP-SALES-VPN","GRP-SALES-FILES","GRP-ALL-EMAIL")
Title = "Vertriebsmitarbeiter"
},
# --- Marketing (2 MA) ---
@{
Vorname = "Julia"
Nachname = "Wagner"
Abt = "Marketing"
OU = "OU=Marketing,$DomainDN"
Gruppen = @("GRP-MKT-FILES","GRP-ALL-EMAIL")
Title = "Marketingmitarbeiterin"
},
@{
Vorname = "Stefan"
Nachname = "Bauer"
Abt = "Marketing"
OU = "OU=Marketing,$DomainDN"
Gruppen = @("GRP-MKT-FILES","GRP-ALL-EMAIL")
Title = "Marketingmitarbeiter"
},
# --- Service / Technik (25 MA) ---
# Techniker mit ERP-Zugriff (5 MA)
@{ Vorname="Klaus"; Nachname="Schneider"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
@{ Vorname="Peter"; Nachname="Fischer"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
@{ Vorname="Michael"; Nachname="Weber"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
@{ Vorname="Andreas"; Nachname="Müller"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
@{ Vorname="Christian";Nachname="Schmidt"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-SVC-ERP","GRP-ALL-EMAIL"); Title="Techniker" },
# Techniker ohne ERP (20 MA)
@{ Vorname="David"; Nachname="Hoffmann"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Felix"; Nachname="Schäfer"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Georg"; Nachname="Koch"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Hans"; Nachname="Becker"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Josef"; Nachname="Wolf"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Karl"; Nachname="Braun"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Leon"; Nachname="Schwarz"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Martin"; Nachname="Zimmermann";Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Nico"; Nachname="Krause"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Oliver"; Nachname="Richter"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Paul"; Nachname="Klein"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Robert"; Nachname="Werner"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Simon"; Nachname="Neumann"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Thomas"; Nachname="Lange"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Ulrich"; Nachname="Scholz"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Viktor"; Nachname="Peters"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Walter"; Nachname="Vogel"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Xaver"; Nachname="Keller"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" },
@{ Vorname="Yannick"; Nachname="Frank"; Abt="Service"; OU="OU=Service,$DomainDN"; Gruppen=@("GRP-SVC-FILES","GRP-ALL-EMAIL"); Title="Servicemitarbeiter" }
)
$UserCreatedCount = 0
$UserExistsCount = 0
$UserErrorCount = 0
foreach ($User in $Users) {
# Benutzername: vorname.nachname (Umlaute ersetzen)
$Sam = ($User.Vorname + "." + $User.Nachname).ToLower()
$Sam = $Sam -replace "ä","ae" -replace "ö","oe" -replace "ü","ue" -replace "ß","ss"
$UPN = "$Sam@$Domain"
$EmailAddr = "$Sam@$MailDomain"
$UserCreated = $false
try {
$existing = Get-ADUser -Identity $Sam -Server $Domain -ErrorAction Stop
Write-Host " [~] User existiert bereits: $Sam" -ForegroundColor Gray
$UserExistsCount++
$UserCreated = $true # User existiert, Gruppen trotzdem zuweisen
} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
try {
New-ADUser `
-SamAccountName $Sam `
-UserPrincipalName $UPN `
-GivenName $User.Vorname `
-Surname $User.Nachname `
-Name "$($User.Vorname) $($User.Nachname)" `
-DisplayName "$($User.Vorname) $($User.Nachname)" `
-Department $User.Abt `
-Title $User.Title `
-EmailAddress $EmailAddr `
-Path $User.OU `
-AccountPassword $DefaultPW `
-PasswordNeverExpires $false `
-ChangePasswordAtLogon $true `
-Enabled $true `
-Server $Domain `
-ErrorAction Stop
Write-Host " [+] User erstellt: $Sam ($($User.Abt))" -ForegroundColor Green
$UserCreatedCount++
$UserCreated = $true
} catch {
Write-Host " [!] FEHLER beim Erstellen von User '$Sam': $_" -ForegroundColor Red
$UserErrorCount++
}
} catch {
Write-Host " [!] FEHLER beim Pruefen von User '$Sam': $_" -ForegroundColor Red
$UserErrorCount++
}
# Gruppen zuweisen - nur wenn User existiert oder gerade erstellt wurde
if ($UserCreated) {
foreach ($Gruppe in $User.Gruppen) {
try {
Add-ADGroupMember -Identity $Gruppe -Members $Sam -Server $Domain -ErrorAction Stop
} catch {
if ($_.Exception.Message -like "*already a member*" -or $_.Exception.Message -like "*ist bereits Mitglied*") {
# Stille Warnung - User ist schon in der Gruppe
} else {
Write-Warning " Gruppe '$Gruppe' konnte nicht zugewiesen werden: $_"
}
}
}
}
}
# ============================================================
# 4. SERVICE-ACCOUNT FÜR MAILSERVER (LDAP-Bind)
# ============================================================
Write-Host "`n[4/4] Erstelle Service-Account für Mailserver..." -ForegroundColor Yellow
$SvcSam = "svc-mailserver"
$SvcUPN = "$SvcSam@$Domain"
$SvcPW = ConvertTo-SecureString 'Mail$3rv!ceAcc2026' -AsPlainText -Force
try {
$existing = Get-ADUser -Identity $SvcSam -Server $Domain -ErrorAction Stop
Write-Host " [~] Service-Account existiert bereits: $SvcSam" -ForegroundColor Gray
} catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
try {
New-ADUser `
-SamAccountName $SvcSam `
-UserPrincipalName $SvcUPN `
-Name "Mailserver Service Account" `
-DisplayName "Mailserver Service Account" `
-Description "Service-Account fuer Docker-Mailserver LDAP-Bind" `
-Path "OU=Server,$DomainDN" `
-AccountPassword $SvcPW `
-PasswordNeverExpires $true `
-ChangePasswordAtLogon $false `
-CannotChangePassword $true `
-Enabled $true `
-Server $Domain `
-ErrorAction Stop
Write-Host " [+] Service-Account erstellt: $SvcSam" -ForegroundColor Green
} catch {
Write-Host " [!] FEHLER beim Erstellen von Service-Account '$SvcSam': $_" -ForegroundColor Red
}
} catch {
Write-Host " [!] FEHLER beim Pruefen von Service-Account '$SvcSam': $_" -ForegroundColor Red
}
# ============================================================
# ZUSAMMENFASSUNG
# ============================================================
Write-Host "`n=== Setup abgeschlossen ===" -ForegroundColor Cyan
Write-Host "OUs: $($OUs.Count) konfiguriert" -ForegroundColor White
Write-Host "Gruppen: $($Groups.Count) konfiguriert" -ForegroundColor White
Write-Host "User: $UserCreatedCount neu erstellt, $UserExistsCount bereits vorhanden, $UserErrorCount Fehler (+ 1 Service-Account)" -ForegroundColor White
Write-Host "`nStandard-Passwort User: ByteTrail2026! (Benutzer muessen es beim ersten Login aendern)" -ForegroundColor Yellow
Write-Host "Service-Account Mailserver: $SvcSam / Mail`$3rv!ceAcc2026" -ForegroundColor Yellow
Write-Host "Mail-Domain: $MailDomain" -ForegroundColor White
Write-Host "AD-Domaene: $Domain" -ForegroundColor White
Write-Host ""
Reference in New Issue View Git Blame Copy Permalink