# Default Domain Policy -- Settings Declaration # GPO GUID: {31B2F340-016D-11D2-945F-00C04FB984F9} (built-in, same on all domains) # Linked to: example.internal (domain root) # # This GPO controls domain-wide password, account lockout, and Kerberos policies. # These settings ONLY take effect at the domain level -- they are ignored in OU-level GPOs. @{ GPOName = 'Default Domain Policy' Description = 'Domain-wide password, account lockout, and Kerberos policies' DisableUserConfiguration = $true # No link management needed -- auto-linked at domain creation LinkTo = $null SecurityPolicy = @{ 'System Access' = [ordered]@{ # --- Password Policy --- MinimumPasswordAge = 1 # Days before password can be changed MaximumPasswordAge = 42 # Days before password must be changed MinimumPasswordLength = 7 # Minimum characters (consider 14+) PasswordComplexity = 1 # 1=Enabled: requires 3 of 4 char types PasswordHistorySize = 24 # Previous passwords remembered ClearTextPassword = 0 # 0=Disabled: no reversible encryption RequireLogonToChangePassword = 0 # 0=Disabled ForceLogoffWhenHourExpire = 0 # 0=Disabled: sessions continue after hours expire LSAAnonymousNameLookup = 0 # 0=Disabled: block anonymous SID-to-name resolution # --- Account Lockout Policy --- LockoutBadCount = 5 # Failed attempts before lockout ResetLockoutCount = 30 # Minutes before counter resets LockoutDuration = 30 # Minutes account stays locked } 'Kerberos Policy' = [ordered]@{ MaxTicketAge = 10 # TGT lifetime in hours MaxRenewAge = 7 # TGT max renewal in days MaxServiceAge = 600 # Service ticket lifetime in minutes MaxClockSkew = 5 # Max clock difference in minutes TicketValidateClient = 1 # 1=Enabled: validate client identity } 'Registry Values' = [ordered]@{ # Do not store LAN Manager hash -- LM hashes are trivially crackable 'MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash' = '4,1' # REG_DWORD=1 } } # No registry-based (Administrative Template) settings in this GPO RegistrySettings = @() }