# Admins-01 GPO

**GUID:** Auto-created on first `Apply-GPOBaseline.ps1` run
**Linked to:** `OU=ExampleAdmins,DC=example,DC=internal`
**Scope:** User Configuration (HKCU) -- Administrative Templates only

This GPO applies to delegated administrator accounts in the ExampleAdmins OU. Unlike Users-01, it does NOT restrict access to management tools (regedit, cmd, Run, etc.). Instead it focuses on session security and accountability.

## Settings

### Session Security

| Setting | Value | Effect |
|---|---|---|
| ScreenSaveActive | 1 | Enable screensaver (required for lock timeout) |
| ScreenSaveTimeOut | 600 | Lock screen after 10 minutes idle |
| ScreenSaverIsSecure | 1 | Require password to unlock |

### Accountability

| Setting | Value | Effect |
|---|---|---|
| EnableScriptBlockLogging | 1 | Logs all PowerShell script blocks to event log |
| EnableTranscripting | 1 | Full transcript of all PowerShell sessions |

### Taskbar Cleanup

| Setting | Value | Effect |
|---|---|---|
| TurnOffWindowsCopilot | 1 | Disables Windows Copilot |
| TaskbarDa | 0 | Hides Widgets |
| SearchboxTaskbarMode | 0 | Hides Search box |

## Design Rationale

Admins need unrestricted access to system tools. The policies here enforce:
1. **Session security** -- unattended admin sessions auto-lock after 10 minutes
2. **Audit trail** -- all PowerShell activity is logged for forensic review
3. **Clean workspace** -- distracting taskbar elements removed

Actual admin privileges come from membership in the DelegatedAdmins security group, not from this GPO.