Hhb

# lock_peda_ntfs_final.ps1
# A lancer en tant qu'administrateur

# Vérifier admin
$principal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $principal.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) {
    Write-Error "Merci de lancer ce script en administrateur."
    exit 1
}

Write-Host "=== Création des groupes Eleves / Profs / AdminPedago ==="

function Ensure-LocalGroup {
    param([string]$Name)
    if (-not (Get-LocalGroup -Name $Name -ErrorAction SilentlyContinue)) {
        net localgroup "$Name" /add | Out-Null
        Write-Host "[OK] Groupe créé : $Name"
    } else {
        Write-Host "[OK] Groupe déjà existant : $Name"
    }
}

Ensure-LocalGroup "Eleves"
Ensure-LocalGroup "Profs"
Ensure-LocalGroup "AdminPedago"

Write-Host "`n=== Création des comptes eleve / prof ==="

function Ensure-LocalUser {
    param(
        [string]$UserName,
        [string]$Password,
        [string]$GroupName
    )

    if (-not (Get-LocalUser -Name $UserName -ErrorAction SilentlyContinue)) {
        net user "$UserName" "$Password" /add /y /fullname:"$UserName" /passwordchg:no /passwordreq:yes | Out-Null
        Write-Host "[OK] Compte créé : $UserName"
    } else {
        Write-Host "[OK] Compte déjà existant : $UserName"
    }

    net localgroup "$GroupName" "$UserName" /add | Out-Null
    net localgroup "Users" "$UserName" /add | Out-Null
}

Ensure-LocalUser "eleve" "eleve" "Eleves"
Ensure-LocalUser "prof"  "prof"  "Profs"

Write-Host "`n=== Blocage NTFS des outils Windows pour NON-ADMINS ==="

# SIDs constants (PAS de tirets dans les noms de variables)
$SIDAdmins = "*S-1-5-32-544"
$SIDSystem = "SYSTEM"
$SIDUsers = "*S-1-5-32-545"
$SIDAuthUsers = "*S-1-5-11"
$SIDEveryone = "*S-1-1-0"

# EXE Windows à bloquer pour élèves/profs (non-admins)
$targets = @(
    "$env:WINDIR\System32\cmd.exe",
    "$env:WINDIR\System32\WindowsPowerShell\v1.0\powershell.exe",
    "$env:WINDIR\System32\WindowsPowerShell\v1.0\powershell_ise.exe",
    "$env:WINDIR\regedit.exe",
    "$env:WINDIR\System32\mmc.exe",
    "$env:WINDIR\System32\taskmgr.exe",
    "$env:WINDIR\System32\control.exe",
    "$env:WINDIR\ImmersiveControlPanel\SystemSettings.exe"
)

foreach ($t in $targets) {
    if (-not (Test-Path $t)) {
        Write-Warning "[SKIP] Introuvable : $t"
        continue
    }

    Write-Host "[*] Configuration NTFS : $t"

    # 1. Prendre la propriété
    takeown /F "$t" /A > $null 2>&1

    # 2. Donner Full aux admins (pour corriger proprement)
    icacls "$t" /grant:r "$SIDAdmins:(F)" > $null 2>&1

    # 3. Enlever Users / Authenticated Users / Everyone
    icacls "$t" /remove "$SIDUsers" "$SIDAuthUsers" "$SIDEveryone" > $null 2>&1

    # 4. Désactiver héritage
    icacls "$t" /inheritance:d > $null 2>&1

    # 5. Reposer ACL propres
    icacls "$t" /grant:r "$SIDSystem:(F)" "$SIDAdmins:(RX)" > $null 2>&1

    Write-Host "    → [OK] Bloqué pour NON-admins"
}

Write-Host "`n=== FIN ==="
Write-Host "Les comptes NON admin ne peuvent plus lancer : CMD, PowerShell, Regedit, MMC, Taskmgr, Paramètres, Panneau de config."
Write-Host "Les applis du bureau sont OK."
Write-Host "L'explorateur et les programmes installés sont OK."
Write-Host "Le compte admin a tous les accès."
Créé il y a 2 mois.