# Users-01 -- Settings Declaration # Linked to: OU=ExampleUsers,DC=example,DC=internal # # This GPO targets user configuration for the ExampleUsers OU. # All settings are User Configuration (HKCU) -- Administrative Templates. @{ GPOName = 'Users-01' Description = 'Standard user desktop hardening and UX standardization' DisableComputerConfiguration = $true LinkTo = 'OU=ExampleUsers,DC=example,DC=internal' # Deny Apply for admin groups -- DelegatedAdmins sit in ExampleUsers but should not # receive desktop restrictions (they need regedit, cmd, etc. for sysadmin work). # MasterAdmins are in ExampleAdmins OU so they never receive this GPO anyway. SecurityFiltering = @{ DenyApply = @('DelegatedAdmins') } # No security policy settings -- user rights, account policies, etc. are Computer Configuration only SecurityPolicy = @{} RegistrySettings = @( # ============================================================= # Desktop Hardening # ============================================================= # Prevent access to registry editing tools @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' ValueName = 'DisableRegistryTools' Type = 'DWord' Value = 1 } # Prevent access to command prompt (2 = disable cmd.exe but allow batch files) @{ Key = 'HKCU\Software\Policies\Microsoft\Windows\System' ValueName = 'DisableCMD' Type = 'DWord' Value = 2 } # Remove Run from Start Menu @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'NoRun' Type = 'DWord' Value = 1 } # Prevent changing desktop wallpaper @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop' ValueName = 'NoChangingWallPaper' Type = 'DWord' Value = 1 } # Remove Add/Remove Programs from Control Panel @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall' ValueName = 'NoAddRemovePrograms' Type = 'DWord' Value = 1 } # Prevent adding printers @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' ValueName = 'NoAddPrinter' Type = 'DWord' Value = 1 } # ============================================================= # UX Standardization # ============================================================= # Set default desktop wallpaper (built-in Windows wallpaper, exists on all machines) # Replace with a corporate wallpaper on a UNC share when ready @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' ValueName = 'Wallpaper' Type = 'String' Value = 'C:\Windows\Web\Wallpaper\Windows\img0.jpg' } # Wallpaper style: Fill # 0=Center, 2=Stretch, 6=Fit, 10=Fill, 22=Span @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' ValueName = 'WallpaperStyle' Type = 'String' Value = '10' } # Hide Search box on taskbar (0=Hidden, 1=Icon, 2=Full box) @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Search' ValueName = 'SearchboxTaskbarMode' Type = 'DWord' Value = 0 } # Hide Task View button on taskbar @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced' ValueName = 'ShowTaskViewButton' Type = 'DWord' Value = 0 } # Disable Windows Copilot @{ Key = 'HKCU\Software\Policies\Microsoft\Windows\WindowsCopilot' ValueName = 'TurnOffWindowsCopilot' Type = 'DWord' Value = 1 } # Hide Widgets on taskbar @{ Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced' ValueName = 'TaskbarDa' Type = 'DWord' Value = 0 } ) }