diff --git a/ad-init.ps1 b/ad-init.ps1 index 180199e..56531f9 100755 --- a/ad-init.ps1 +++ b/ad-init.ps1 @@ -1,7 +1,21 @@ +if (-not (Get-WindowsFeature -Name DNS).Installed) { + Write-Host "Le role DNS n'est pas installer." -ForegroundColor Red + Install-WindowsFeature -Name DNS -IncludeManagementTools +} + + + +if (-not (Get-WindowsFeature -Name AD-Domain-Services).Installed) { + Write-Host "Le role AD DS n'est pas installer." -ForegroundColor Red + Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools +} + + + + # Vérifie si le rôle AD DS est installé if (-not (Get-WindowsFeature -Name AD-Domain-Services).Installed) { Write-Host "Le role AD DS n'est pas installer." -ForegroundColor Red - exit } # Collecte les informations de l'utilisateur @@ -41,3 +55,8 @@ Install-ADDSForest ` -Force:$true ` -SafeModeAdministratorPassword $dsrmPwd +Write-Output "DomainName : $domain" +Write-Output "DomainNetbiosName : $netbios" +Write-Output "ReplicationSourceDC : $domaine" +Write-Output "SafeModePwd : $dsrmPwd" + diff --git a/ad-portcheck.ps1 b/ad-portcheck.ps1 new file mode 100755 index 0000000..0bc9f2b --- /dev/null +++ b/ad-portcheck.ps1 @@ -0,0 +1,25 @@ +# IP ou nom DNS du contrôleur de domaine principal +$dc = Read-Host "Nom ou IP du controleur de domaine principal" + +# Liste des ports nécessaires à AD +$ports = @( + 53, # DNS + 88, # Kerberos + 135, # RPC Endpoint Mapper + 389, # LDAP + 445, # SMB + 3268, # LDAP Global Catalog + 3269, # LDAP GC over SSL + 636, # LDAPS + 9389 # AD Web Services +) + +# Fonction de test +foreach ($port in $ports) { + $result = Test-NetConnection -ComputerName $dc -Port $port -WarningAction SilentlyContinue + if ($result.TcpTestSucceeded) { + Write-Host "Port $port ouvert vers $dc" -ForegroundColor Green + } else { + Write-Host "Port $port fermé ou filtré vers $dc" -ForegroundColor Red + } +} diff --git a/ad-slave-init.ps1 b/ad-slave-init.ps1 new file mode 100755 index 0000000..6bafc35 --- /dev/null +++ b/ad-slave-init.ps1 @@ -0,0 +1,32 @@ + +#$config = Get-Content -Raw -Path ".\config.json" | ConvertFrom-Json + +if (-not (Get-WindowsFeature -Name AD-Domain-Services).Installed) { + Write-Host "Le role AD DS n'est pas installer." -ForegroundColor Red + Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools +} + + +if (-not (Get-WindowsFeature -Name DNS).Installed) { + Write-Host "Le role DNS n'est pas installer." -ForegroundColor Red + Install-WindowsFeature -Name DNS -IncludeManagementTools +} + + +$dom = Read-Host "Domain Parent (nom.local) " +#$net = Read-Host "Nom NetBIOS " +$pwdsafe = Read-Host "DSRM password " -AsSecureString +$creds = Get-Credential + +Install-ADDSDomainController ` + -DomainName $dom ` + -SafeModeAdministratorPassword $pwdsafe ` + -Credential $creds ` + -InstallDNS $true ` + -DatabasePath "C:\Windows\NTDS" ` + -LogPath "C:\Windows\NTDS" ` + -SYSVOLPath "C:\Windows\SYSVOL" ` + -ReplicationSourceDC $dom ` + -NoRebootOnCompletion $false ` + -Force $true + diff --git a/computer-add.ps1 b/computer-add.ps1 new file mode 100755 index 0000000..646fbe4 --- /dev/null +++ b/computer-add.ps1 @@ -0,0 +1,7 @@ +$login = Read-Host "Login (Sam)" +$dom1 = Read-Host "domaine avant le ." +$dom2 = Read-Host "domaine apres le ." + +Add-Computer -DonnainName "$dom1.$dom2" -Credentia1 $dom1\$login -Restart -Force + +Get-ADComputer -Identity "$login" diff --git a/dhcpsrv-init.ps1 b/dhcpsrv-init.ps1 new file mode 100755 index 0000000..7a36d47 --- /dev/null +++ b/dhcpsrv-init.ps1 @@ -0,0 +1,15 @@ +if (-not (Get-WindowsFeature -Name DHCP).Installed) { + Write-Host "Le role DHCP n'est pas installer." -ForegroundColor Red + Install-WindowsFeature -Name DHCP -IncludeManagementTools + $pool = Read-Host "Nom de la pool " + $net = Read-Host "Network (en .0)" + $start = Read-Host "Start du Dhcp " + $end = Read-Host "Fin du Dhcp " + $subnet = Read-Host "Masque de sous reseaux " + $gateway = Read-Host "Gateway " + $dns = Read-Host "DNS " +Add-DhcpServerv4Scope -Name $pool -StartRange $start -EndRange $end -SubnetMask $subnet -State Active + Set-DhcpServerv4OptionValue -ScopeId $net -Router $gateway -DnsServer $dns + Get-Service dhcpserver +} + diff --git a/dns-patch.ps1 b/dns-patch.ps1 new file mode 100755 index 0000000..b32a9cd --- /dev/null +++ b/dns-patch.ps1 @@ -0,0 +1 @@ +Set-DhcpServerv4OptionValue -DnsServer 1.1.1.1 diff --git a/gpo-init.ps1 b/gpo-init.ps1 new file mode 100755 index 0000000..b796ad8 --- /dev/null +++ b/gpo-init.ps1 @@ -0,0 +1,42 @@ +Import-Module GroupPolicy + +$Dom = Read-Host "Nom du domain (sans .local): " +$Ou = Read-Host "Nom de la nouvelle OU : " +New-ADOrganizationalUnit -Name "$Ou" -Path "DC=$Dom,DC=local" +# Nom de la GPO +$ouTarget = "OU=Postes,DC=$Dom,DC=local" +$gpoName = "Securite - Verrouillage postes" +# Créer la GPO +New-GPO -Name "Securite - Verrouillage postes" -Comment "Renforcement securite poste utilisateur" | New-GPLink -Target $ouTarget -LinkEnabled Yes + +# ----------------------- +# PARAMÈTRES GPO APPLIQUÉS +# ----------------------- + +# 1. Verrouillage du panneau de configuration +Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoControlPanel" -Type DWord -Value 1 + +# 2. Verrouillage CMD & PowerShell +Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\System" -ValueName "DisableCMD" -Type DWord -Value 1 +Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\PowerShell" -ValueName "EnableScripts" -Type DWord -Value 0 + +# 3. Désactivation du hash LAN Manager +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "NoLMHash" -Type DWord -Value 1 + +# 4. Désactiver installation sans mot de passe admin +Set-GPRegistryValue -Name $gpoName -Key "HKLM\Software\Policies\Microsoft\Windows\Installer" -ValueName "DisableMSI" -Type DWord -Value 1 + +# 5. Désactivation du compte invité +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SAM\SAM\Domains\Account\Users\Names\Guest" -ValueName "Enabled" -Type DWord -Value 0 + +# 6. Politique de mot de passe (complexité et longueur) +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "PasswordComplexity" -Type DWord -Value 1 +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "MinimumPasswordLength" -Type DWord -Value 10 + +# 7. Expiration du mot de passe (90 jours) +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -ValueName "MaximumPasswordAge" -Type DWord -Value 90 + +# 8. Blocage énumération SID anonymes +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "RestrictAnonymousSAM" -Type DWord -Value 1 + +Write-Host "GPO '$gpoName' crer et lie a $ouTarget" diff --git a/gpo-secu.ps1 b/gpo-secu.ps1 new file mode 100644 index 0000000..bcc45a6 --- /dev/null +++ b/gpo-secu.ps1 @@ -0,0 +1,43 @@ +Import-Module GroupPolicy + +# Nom de la GPO +$gpoName = "Sécurité - Verrouillage postes" +$ouTarget = "OU=Postes,DC=tondomaine,DC=local" # <- À ADAPTER + +# Créer la GPO +$gpo = New-GPO -Name $gpoName -Comment "Renforcement sécurité poste utilisateur" + +# Lier à l'OU +New-GPLink -Name $gpo.DisplayName -Target $ouTarget + +# ------------------------ +# PARAMÈTRES GPO APPLIQUÉS +# ------------------------ + +# 1. Verrouillage du panneau de configuration +Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoControlPanel" -Type DWord -Value 1 + +# 2. Verrouillage CMD & PowerShell +Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\System" -ValueName "DisableCMD" -Type DWord -Value 1 +Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\PowerShell" -ValueName "EnableScripts" -Type DWord -Value 0 + +# 3. Désactivation du hash LAN Manager +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "NoLMHash" -Type DWord -Value 1 + +# 4. Désactiver installation sans mot de passe admin +Set-GPRegistryValue -Name $gpoName -Key "HKLM\Software\Policies\Microsoft\Windows\Installer" -ValueName "DisableMSI" -Type DWord -Value 1 + +# 5. Désactivation du compte invité +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SAM\SAM\Domains\Account\Users\Names\Guest" -ValueName "Enabled" -Type DWord -Value 0 + +# 6. Politique de mot de passe (complexité et longueur) +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "PasswordComplexity" -Type DWord -Value 1 +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "MinimumPasswordLength" -Type DWord -Value 10 + +# 7. Expiration du mot de passe (90 jours) +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -ValueName "MaximumPasswordAge" -Type DWord -Value 90 + +# 8. Blocage énumération SID anonymes +Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "RestrictAnonymousSAM" -Type DWord -Value 1 + +Write-Host "GPO '$gpoName' créée et liée à $ouTarget" diff --git a/group-add.ps1 b/group-add.ps1 new file mode 100755 index 0000000..137f6c0 --- /dev/null +++ b/group-add.ps1 @@ -0,0 +1,21 @@ +$group = Read-Host "Group Name " +$Ou = Read-Host "OU= " +#pitié pas le fonction de découpage +$dom1 = Read-Host "domaine avant le ." +$dom2 = Read-Host "domaine apres le ." + +Write-Host "Creation du groupe $group" +New-ADGroup -Name $group -GroupScope Global -Path "OU=$Ou,DC=$dom1,DC=$dom2" +Get-ADGroupMember -Identity "$group" + + +$answ = Read-Host "Lier a un user existant ? (y/n) " +$login = Read-Host "Login (Sam) " + +if ($answ -eq "y") { + Add-ADGroupMember -Identity "$group" -Members "$login" + Get-ADGroupMember -Identity "$group" +} else { + exit +} + diff --git a/user-add.ps1 b/user-add.ps1 new file mode 100755 index 0000000..fe5feb2 --- /dev/null +++ b/user-add.ps1 @@ -0,0 +1,33 @@ +$name = Read-Host "Nom " +$gname = Read-Host "Given name " +$sname = Read-Host "Surname " +$login = Read-Host "Login " +$mdp = Read-Host "Mot de passe " -AsSecureString +$Ou = Read-Host "OU= " +#pitié pas le fonction de découpage +$dom1 = Read-Host "domaine avant le ." +$dom2 = Read-Host "domaine apres le ." + +New-ADUser ` + -Name "$name" ` + -GivenName "$gname" ` + -Surname "$sname" ` + -SamAccountName "$login" ` + -UserPrincipalName "$login@$dom1.$dom2" ` + -Path "OU=$Ou,DC=$dom1,DC=$dom2" ` + -AccountPassword $mdp ` + -Enabled $true + +$answ = Read-Host "Lier a un groupe existant ? (y/n) " +$group = Read-Host "Group Name " + +if ($answ -eq "y") { + Write-Host "Le Groupe existe deja" + Add-ADGroupMember -Identity "$group" -Members "$login" + Get-ADGroupMember -Identity "$group" +} else { + exit +} + + +