Wir benutzen sogenannte Arbeitsgruppen bei uns, um Ordner in einer Dateifreigabe zur Verfügung zu stellen, welche nur für bestimmte Personen sichtbar und greifbar sein sollen.
Dies haben wir über einen Windows Fileserver, mit aktiviertem „Access-based Enumeration“ realisiert.
Für das Anlegen der Ordner und der notwendigen Gruppen im Active Directory benutzen wir wieder die Powershell. Leider kann die Microsoft Powershell allein dies nicht so schön umsetzen, weshalb ich mich dem Tool von Quest bedient habe Link .
Import-Module ActiveDirectory
Add-PSSnapin Quest.ActiveRoles.ADManagement
$path = "UNC Pfad zum Dateiserver"
$OU = "OU für die Gruppe"
$newFolderName = Read-Host -Prompt "Enter Name of Workgroup (no äüö or blank"
$Member = Read-Host -Prompt "Enter Name of User (Example: awild)"
$ManagedByUser = $Member
$newFolderFull = $path + $newFolderName
$groupnameRW = "wgrp_" + $newFolderName + "RW" $groupnameR = "wgrp" + $newFolderName + "_R"
Write-Output "New Folder will be: $newFolderFull"
Write-Output "Create AD Groups"
#Replication der DCs
repadmin /syncall Domaincontroller 1
repadmin /syncall Domaincontroller 2
start-sleep -s 5
#Create the Security Groups
new-adgroup -Name $groupNameRW -samAccountName $groupNameRW -Description "Workgroup $newFolderName Manager $ManagedByUser" -GroupCategory security -groupscope Global -Path $OU
new-adgroup -Name $groupNameR -samAccountName $groupNameR -Description "Workgroup $newFolderName Manager $ManagedByUser" -GroupCategory security -groupscope Global -Path $OU
pause
#Replication der DCs
repadmin /syncall Domaincontroller 1
repadmin /syncall Domaincontroller 2
start-sleep -s 5
#Add the group members to the groups
add-adgroupmember -Identity $groupNameRW $Member
add-adgroupmember -Identity $groupNameR $Member
add-adgroupmember -Identity grp_Workgroup $groupNameRW
add-adgroupmember -Identity grp_Workgroup $groupNameR
start-sleep -s 10
#Add the ManagedBy User
set-adgroup $groupNameRW -Managedby $ManagedByUser
set-adgroup $groupNameR -Managedby $ManagedByUser
start-sleep -s 10
#Give Owner Write permissions
Add-QADPermission -Identity $groupNameRW -Account $ManagedByUser -Rights WriteProperty -Property "Member" -ApplyTo ThisObjectOnly
Add-QADPermission -Identity $groupNameR -Account $ManagedByUser -Rights WriteProperty -Property "Member" -ApplyTo ThisObjectOnly
#Replication der DCs
repadmin /syncall msdc01
repadmin /syncall msdc02
Sleep
Write-Output "Start-Sleep -s 5"
Start-Sleep -s 5
Write-Output "Add Folder.."
New-Item $newFolderFull -ItemType Directory
Write-Output "Remove Inheritance.."
icacls $newFolderFull /inheritance:d
icacls $newFolderFull /inheritance:d /remove:g "BUILTIN\Users", "SYSTEM", "CREATOR OWNER"
Sleep
Write-Output "Start-Sleep -s 10"
Start-Sleep -s 10
Rights
$readOnly = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute"
$readWrite = [System.Security.AccessControl.FileSystemRights]"Modify"
Inheritance
$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
Propagation
$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
User
$userRW = New-Object System.Security.Principal.NTAccount($groupNameRW)
$userR = New-Object System.Security.Principal.NTAccount($groupNameR)
Type
Write-Output "Berechtigungen setzen"
$type = [System.Security.AccessControl.AccessControlType]::Allow
$accessControlEntryRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($userRW, $readWrite, $inheritanceFlag, $propagationFlag, $type)
$accessControlEntryR = New-Object System.Security.AccessControl.FileSystemAccessRule @($userR, $readOnly, $inheritanceFlag, $propagationFlag, $type)
$objACL = Get-ACL $newFolderFull
$objACL.AddAccessRule($accessControlEntryRW)
$objACL.AddAccessRule($accessControlEntryR)
Set-ACL $newFolderFull $objACL