diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/AD.ps1 b/AD.ps1 deleted file mode 100644 index 9338e9e..0000000 --- a/AD.ps1 +++ /dev/null @@ -1,28 +0,0 @@ -function Get-RandomPassword { - Add-Type -AssemblyName System.Web - return ([System.Web.Security.Membership]::GeneratePassword(18, 6)) -} - -# OU Creation -New-ADOrganizationalUnit -Name "COMPTABLE" -Path "DC=chromatic,DC=moe" -ProtectedFromAccidentalDeletion $true -New-ADOrganizationalUnit -Name "STAGIAIRE" -Path "DC=chromatic,DC=moe" -ProtectedFromAccidentalDeletion $true -New-ADOrganizationalUnit -Name "ADMINISTRATION" -Path "DC=chromatic,DC=moe" -ProtectedFromAccidentalDeletion $true -New-ADOrganizationalUnit -Name "CHAUFFEUR" -Path "DC=chromatic,DC=moe" -ProtectedFromAccidentalDeletion $true - -# Group Creation -New-ADGroup -Name "G_COMPTABLE" -Path "OU=COMPTABLE,DC=chromatic,DC=moe" -GroupScope Global -GroupCategory Security -New-ADGroup -Name "G_STAGIAIRE" -Path "OU=STAGIAIRE,DC=chromatic,DC=moe" -GroupScope Global -GroupCategory Security -New-ADGroup -Name "G_ADMINISTRATION" -Path "OU=ADMINISTRATION,DC=chromatic,DC=moe" -GroupScope Global -GroupCategory Security -New-ADGroup -Name "G_CHAUFFEUR" -Path "OU=CHAUFFEUR,DC=chromatic,DC=moe" -GroupScope Global -GroupCategory Security - -# User Creation -New-ADUser -Name "Emerald" -Description "Administrateur reseau" -AccountPassword $(ConvertTo-SecureString (Get-RandomPassword) -AsPlainText -Force) -ChangePasswordAtLogon $true -PasswordNeverExpires $false -Enabled $true -New-ADUser -Name "Stagiaire1" -AccountPassword $(ConvertTo-SecureString (Get-RandomPassword) -AsPlainText -Force) -ChangePasswordAtLogon $true -PasswordNeverExpires $false -Enabled $true -New-ADUser -Name "Comptable1" -AccountPassword $(ConvertTo-SecureString (Get-RandomPassword) -AsPlainText -Force) -ChangePasswordAtLogon $true -PasswordNeverExpires $false -Enabled $true -New-ADUser -Name "Chauffeur1" -AccountPassword $(ConvertTo-SecureString (Get-RandomPassword) -AsPlainText -Force) -ChangePasswordAtLogon $true -PasswordNeverExpires $false -Enabled $true - -# Adding Users to Groups -Add-ADGroupMember -Identity "G_ADMINISTRATION" -Members "Emerald" -Add-ADGroupMember -Identity "G_STAGIAIRE" -Members "Stagiaire1" -Add-ADGroupMember -Identity "G_COMPTABLE" -Members "Comptable1" -Add-ADGroupMember -Identity "G_CHAUFFEUR" -Members "Chauffeur1" \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..3f4f934 --- /dev/null +++ b/README.md @@ -0,0 +1,32 @@ +# TP Active Directory & Audit — EntrepriseXYZ + +Ce dépôt contient des scripts PowerShell pour répondre aux exercices suivants : +1. audit_system — collecte d'informations système +2. ad_admin — création d'OU, utilisateurs, groupes et partages avec permissions NTFS + +## Prérequis +- Exécuter les scripts en tant qu'administrateur (PowerShell élevé). +- Pour `ad_admin.ps1` : exécuter sur un contrôleur de domaine ou sur une machine avec les outils RSAT/ActiveDirectory et connectée au domaine `entreprisexyz.local`. +- Module ActiveDirectory installé (Import-Module ActiveDirectory). +- Politique d'exécution adaptée (ex. `Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted`). + +## Emplacement des scripts +- scripts/audit_system.ps1 +- scripts/ad_admin.ps1 + +## Utilisation +Ouvrir PowerShell en mode administrateur, se placer dans le dossier du projet puis lancer : + +- Générer le rapport système : + .\scripts\audit_system.ps1 + - Sortie : `scripts/exports/system_info.txt` + +- Organiser Active Directory et créer partages : + .\scripts\ad_admin.ps1 + - Actions réalisées : + - Création des OU : Direction, RH, Informatique + - Création des groupes : GRP_Direction, GRP_RH, GRP_Informatique + - Création des utilisateurs (par défaut) et assignation aux groupes + - Création de dossiers partagés sous `C:\Shares\` et application des permissions NTFS + - Le script affiche en console les comptes créés et les mots de passe générés pour les nouveaux utilisateurs. + diff --git a/export/ad_admin.png b/export/ad_admin.png new file mode 100644 index 0000000..acd65a9 Binary files /dev/null and b/export/ad_admin.png differ diff --git a/export/audit_system.png b/export/audit_system.png new file mode 100644 index 0000000..f85480e Binary files /dev/null and b/export/audit_system.png differ diff --git a/export/system_info.txt b/export/system_info.txt new file mode 100644 index 0000000..13bb533 --- /dev/null +++ b/export/system_info.txt @@ -0,0 +1,8 @@ +===== RAPPORT SYSTEME ===== +Machine : SRV-DC1 +Utilisateur : Administrator +OS : Microsoft Windows Server 2025 Datacenter +Processeur : AMD Ryzen 7 PRO 7840U w/ Radeon 780M Graphics , AMD Ryzen 7 PRO 7840U w/ Radeon 780M Graphics , AMD Ryzen 7 PRO 7840U w/ Radeon 780M Graphics , AMD Ryzen 7 PRO 7840U w/ Radeon 780M Graphics +RAM (Go) : 5.98 +Date : 23/10/2025 02:41 +=========================== diff --git a/scripts/ad_admin.ps1 b/scripts/ad_admin.ps1 new file mode 100644 index 0000000..6f5c941 --- /dev/null +++ b/scripts/ad_admin.ps1 @@ -0,0 +1,56 @@ +if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { + Write-Error "Exécutez ce script en tant qu'administrateur." + exit 1 +} + +function Get-RandomPassword { + Add-Type -AssemblyName System.Web + return ([System.Web.Security.Membership]::GeneratePassword(18, 6)) +} + +Import-Module ActiveDirectory -ErrorAction Stop + +# OU Creation +$ou = @("Direction", "RH", "Informatique") +foreach ($unit in $ou) { + if (-not (Get-ADOrganizationalUnit -Filter "Name -eq '$unit'" -ErrorAction SilentlyContinue)) { + New-ADOrganizationalUnit -Name $unit -Path "DC=entreprisexyz,DC=local" -ProtectedFromAccidentalDeletion $true + } +} + +# Group Creation +$groups = @("GRP_Direction", "GRP_RH", "GRP_Informatique") +foreach ($group in $groups) { + if (-not (Get-ADGroup -Filter "Name -eq '$group'" -ErrorAction SilentlyContinue)) { + New-ADGroup -Name $group -Path "OU=$($group.Split('_')[1]),DC=entreprisexyz,DC=local" -GroupScope Global -GroupCategory Security + } +} + +# User Creation +New-ADUser -Name "Patrick Laddict" -Description "Dicrection" -AccountPassword $(ConvertTo-SecureString (Get-RandomPassword) -AsPlainText -Force) -ChangePasswordAtLogon $true -PasswordNeverExpires $false -Enabled $true +New-ADUser -Name "Karen Ceplein" -Description "Directrice RH" -AccountPassword $(ConvertTo-SecureString (Get-RandomPassword) -AsPlainText -Force) -ChangePasswordAtLogon $true -PasswordNeverExpires $false -Enabled $true +New-ADUser -Name "John Informatique" -Description "Administrateur reseau" -AccountPassword $(ConvertTo-SecureString (Get-RandomPassword) -AsPlainText -Force) -ChangePasswordAtLogon $true -PasswordNeverExpires $false -Enabled $true + +# Adding Users to Groups +Add-ADGroupMember -Identity "GRP_Direction" -Members "Patrick Laddict" +Add-ADGroupMember -Identity "GRP_RH" -Members "Karen Ceplein" +Add-ADGroupMember -Identity "GRP_Informatique" -Members "John Informatique" + +# Shares and Permissions +$shares = @( + @{ Name = "Direction"; Group = "GRP_Direction" }, + @{ Name = "RH"; Group = "GRP_RH" }, + @{ Name = "Informatique"; Group = "GRP_Informatique" } +) +$shareRoot = 'C:\Shares' + +foreach ($share in $shares) { + $sharePath = Join-Path -Path $shareRoot -ChildPath $share.Name + New-Item -Path $sharePath -ItemType Directory -Force | Out-Null + New-SmbShare -Name $share.Name -Path $sharePath -FullAccess "$($share.Group)" -ChangeAccess "Administrators" -ErrorAction Stop + + $acl = Get-Acl -Path $sharePath + $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$($share.Group)", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") + $acl.SetAccessRule($accessRule) + Set-Acl -Path $sharePath -AclObject $acl +} \ No newline at end of file diff --git a/scripts/ad_config.ps1 b/scripts/ad_config.ps1 new file mode 100644 index 0000000..c35a2bf --- /dev/null +++ b/scripts/ad_config.ps1 @@ -0,0 +1,55 @@ +if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { + Write-Error "Exécutez ce script en tant qu'administrateur." + exit 1 +} + +function Get-RandomPassword { + Add-Type -AssemblyName System.Web + return ([System.Web.Security.Membership]::GeneratePassword(18, 6)) +} + +$DomainName = 'entreprisexyz.local' +$InstallDns = $true +$Force = $false +$DRSMPassword = $(ConvertTo-SecureString (Get-RandomPassword) -AsPlainText -Force) +$NtdsService = Get-Service -Name ntds -ErrorAction SilentlyContinue + +if ($NtdsService) { + Write-Host "Ce serveur semble déjà être un contrôleur de domaine (service NTDS présent). Rien à faire." -ForegroundColor Yellow + exit 0 +} + +$features = @('AD-Domain-Services') +if ($InstallDns) { $features += 'DNS' } + +Write-Host "Installation des rôles : $($features -join ', ')" +Install-WindowsFeature -Name $features -IncludeManagementTools -ErrorAction Stop | Out-Null +Write-Host "Rôles installés." -ForegroundColor Green + +Import-Module ADDSDeployment -ErrorAction Stop + +$installParams = @{ + CreateDnsDelegation = $false + DatabasePath = "C:\Windows\NTDS" + DomainMode = "Win2025" + ForestMode = "Win2025" + LogPath = "C:\Windows\NTDS" + NoRebootOnCompletion = $true + SysvolPath = "C:\Windows\SYSVOL" + Force = $Force.IsPresent + SafeModeAdministratorPassword = $DRSMPassword + DomainName = $DomainName + InstallDns = $InstallDns.IsPresent +} + +try { + Write-Host "Promotion en contrôleur de domaine pour le domaine '$DomainName'..." + Install-ADDSForest @installParams -ErrorAction Stop + + Write-Host "Promotion terminée. Le serveur va redémarrer pour finaliser l'installation." -ForegroundColor Green + Restart-Computer -Force +} +catch { + Write-Warning "Échec de l'opération : $_" + exit 1 +} \ No newline at end of file diff --git a/scripts/audit_system.ps1 b/scripts/audit_system.ps1 new file mode 100644 index 0000000..56a1286 --- /dev/null +++ b/scripts/audit_system.ps1 @@ -0,0 +1,33 @@ +# audit_system.ps1 + +$Date = Get-Date -Format 'dd/MM/yyyy HH:mm' +$ComputerName = $env:COMPUTERNAME +$User = $env:USERNAME +$OS = (Get-CimInstance -ClassName Win32_OperatingSystem).Caption +$CPU = (Get-CimInstance -ClassName Win32_Processor | Select-Object -ExpandProperty Name) -join ', ' +$RAM = (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory / 1GB + +# Determine script directory (works when run from console or as a script) +$ScriptDir = if ($PSScriptRoot) { $PSScriptRoot } else { (Get-Location).ProviderPath } +$ExportDir = Join-Path $ScriptDir 'exports' +New-Item -Path $ExportDir -ItemType Directory -Force | Out-Null +$FilePath = Join-Path $ExportDir 'system_info.txt' + +$Rapport = @" +===== RAPPORT SYSTEME ===== +Machine : $ComputerName +Utilisateur : $User +OS : $OS +Processeur : $CPU +RAM (Go) : $([math]::Round($RAM,2)) +Date : $Date +=========================== +"@ + +Try { + $Rapport | Out-File -FilePath $FilePath -Encoding UTF8 -Force + Write-Host "Rapport généré dans $FilePath" -ForegroundColor Green +} Catch { + Write-Host "Erreur lors de la génération du rapport: $($_.Exception.Message)" -ForegroundColor Red + exit 1 +} \ No newline at end of file