# ----------------------------- # Step 5: Network Shares & Folders # ----------------------------- Import-Module ActiveDirectory # Paths $HomeRoot = "D:\Home" $GroupsRoot = "D:\Groups" $PublicFolder = "D:\Public" $AdminTools = "D:\Admin-Tools" # Create folders $folders = @($HomeRoot, "$GroupsRoot\Students", "$GroupsRoot\Teacher", "$GroupsRoot\Admins", $PublicFolder, $AdminTools) foreach ($f in $folders) { if (!(Test-Path $f)) { New-Item -ItemType Directory -Path $f } } # ----------------------------- # 5.1 Home folders for users # ----------------------------- $Users = Get-ADUser -Filter * -SearchBase "OU=Benutzer,OU=TFO-Brixen,DC=yourdomain,DC=local" foreach ($user in $Users) { $homeFolder = Join-Path $HomeRoot $user.SamAccountName if (!(Test-Path $homeFolder)) { New-Item -ItemType Directory -Path $homeFolder } # NTFS permissions: User FullControl, Admins FullControl $acl = Get-Acl $homeFolder $acl.SetAccessRuleProtection($true, $false) # Disable inheritance $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("$($user.SamAccountName)", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"))) $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"))) Set-Acl $homeFolder $acl } # Share Home$ New-SmbShare -Name "Home$" -Path $HomeRoot -FullAccess "Administrators" -ChangeAccess "Authenticated Users" # ----------------------------- # 5.2 Group folders # ----------------------------- $groups = @("Students","Teacher","Admins") foreach ($g in $groups) { $path = Join-Path $GroupsRoot $g $acl = Get-Acl $path $acl.SetAccessRuleProtection($true,$false) $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule($g, "Modify", "ContainerInherit,ObjectInherit", "None", "Allow"))) $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"))) Set-Acl $path $acl # Create SMB share New-SmbShare -Name $g -Path $path -FullAccess "Administrators" -ChangeAccess $g } # ----------------------------- # 5.3 Public folder # ----------------------------- $acl = Get-Acl $PublicFolder $acl.SetAccessRuleProtection($true,$false) $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users", "Modify", "ContainerInherit,ObjectInherit", "None", "Allow"))) Set-Acl $PublicFolder $acl New-SmbShare -Name "Public" -Path $PublicFolder -FullAccess "Administrators" -ChangeAccess "Authenticated Users" # ----------------------------- # 5.4 Admin Tools folder (no mapped drive) # ----------------------------- $acl = Get-Acl $AdminTools $acl.SetAccessRuleProtection($true,$false) $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"))) Set-Acl $AdminTools $acl New-SmbShare -Name "Admin-Tools" -Path $AdminTools -FullAccess "Admins" Write-Host "All shares and folders created successfully. Map drives using GPO Preferences on client machines."