# Default Domain Controllers Policy -- Settings Declaration # GPO GUID: {6AC1786C-016F-11D2-945F-00C04FB984F9} (built-in, same on all domains) # Linked to: OU=Domain Controllers,DC=example,DC=internal # # This GPO controls user rights assignments and security options for domain controllers. # Privilege Rights use *SID notation as required by GptTmpl.inf format. # Resolve custom group SIDs at evaluation time so they stay correct if groups are recreated $masterAdminsSID = (Get-ADGroup -Identity 'MasterAdmins').SID.Value @{ GPOName = 'Default Domain Controllers Policy' Description = 'User rights assignments, security options, and signing requirements for domain controllers' DisableUserConfiguration = $true # Already linked at domain creation LinkTo = $null SecurityPolicy = @{ 'Registry Values' = [ordered]@{ # LDAP server signing: 1=None (signing supported but not required) 'MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity' = '4,1' # Secure channel: always encrypt or sign 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal' = '4,1' # SMB server: always require signing 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature' = '4,1' # SMB server: sign if client agrees 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature' = '4,1' } 'Privilege Rights' = [ordered]@{ # --- Token and Process Privileges --- # Replace a process-level token SeAssignPrimaryTokenPrivilege = '*S-1-5-20,*S-1-5-19' # NETWORK SERVICE, LOCAL SERVICE # Generate security audits SeAuditPrivilege = '*S-1-5-99-216390572-1995538116-3857911515-2404958512-2623887229,*S-1-5-20,*S-1-5-19' # PrintSpoolerService, NETWORK SERVICE, LOCAL SERVICE # Debug programs SeDebugPrivilege = '*S-1-5-32-544' # Administrators # --- Backup and Restore --- # Back up files and directories SeBackupPrivilege = '*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544' # Server Operators, Backup Operators, Administrators # Restore files and directories SeRestorePrivilege = '*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544' # Server Operators, Backup Operators, Administrators # --- Logon Rights --- # Log on as a batch job SeBatchLogonRight = '*S-1-5-32-559,*S-1-5-32-551,*S-1-5-32-544' # Performance Log Users, Backup Operators, Administrators # Allow log on locally SeInteractiveLogonRight = '*S-1-5-9,*S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544' # Enterprise DCs, Print Operators, Server Operators, Account Operators, Backup Operators, Administrators # Allow log on through Remote Desktop Services SeRemoteInteractiveLogonRight = "*S-1-5-32-544,*$masterAdminsSID" # Administrators, MasterAdmins # Access this computer from the network SeNetworkLogonRight = '*S-1-5-32-554,*S-1-5-9,*S-1-5-11,*S-1-5-32-544,*S-1-1-0' # Pre-Windows 2000 Compatible Access, Enterprise DCs, Authenticated Users, Administrators, Everyone # Bypass traverse checking SeChangeNotifyPrivilege = '*S-1-5-32-554,*S-1-5-11,*S-1-5-99-216390572-1995538116-3857911515-2404958512-2623887229,*S-1-5-32-544,*S-1-5-20,*S-1-5-19,*S-1-1-0' # Pre-Windows 2000, Authenticated Users, PrintSpoolerService, Administrators, NETWORK SERVICE, LOCAL SERVICE, Everyone # --- Domain and Machine Management --- # Add workstations to domain SeMachineAccountPrivilege = '*S-1-5-11' # Authenticated Users # Enable delegation SeEnableDelegationPrivilege = '*S-1-5-32-544' # Administrators # --- System Privileges --- # Create a pagefile SeCreatePagefilePrivilege = '*S-1-5-32-544' # Administrators # Increase scheduling priority SeIncreaseBasePriorityPrivilege = '*S-1-5-90-0,*S-1-5-32-544' # Window Manager Group, Administrators # Adjust memory quotas for a process SeIncreaseQuotaPrivilege = '*S-1-5-32-544,*S-1-5-20,*S-1-5-19' # Administrators, NETWORK SERVICE, LOCAL SERVICE # Load and unload device drivers SeLoadDriverPrivilege = '*S-1-5-32-550,*S-1-5-32-544' # Print Operators, Administrators # Profile single process SeProfileSingleProcessPrivilege = '*S-1-5-32-544' # Administrators # Profile system performance SeSystemProfilePrivilege = '*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420,*S-1-5-32-544' # WdiServiceHost, Administrators # --- Shutdown --- # Force shutdown from a remote system SeRemoteShutdownPrivilege = '*S-1-5-32-549,*S-1-5-32-544' # Server Operators, Administrators # Shut down the system SeShutdownPrivilege = '*S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544' # Print Operators, Server Operators, Backup Operators, Administrators # --- Security and Audit --- # Manage auditing and security log SeSecurityPrivilege = '*S-1-5-32-544' # Administrators # Take ownership of files or other objects SeTakeOwnershipPrivilege = '*S-1-5-32-544' # Administrators # --- Environment and Hardware --- # Modify firmware environment values SeSystemEnvironmentPrivilege = '*S-1-5-32-544' # Administrators # Change the system time SeSystemTimePrivilege = '*S-1-5-32-549,*S-1-5-32-544,*S-1-5-19' # Server Operators, Administrators, LOCAL SERVICE # Remove computer from docking station SeUndockPrivilege = '*S-1-5-32-544' # Administrators } } # No registry-based (Administrative Template) settings in this GPO RegistrySettings = @() }