# Admins-01 -- Settings Declaration
# Linked to: OU=ExampleAdmins,DC=example,DC=internal
#
# This GPO targets delegated administrator accounts.
# No desktop restrictions -- admins need access to management tools.
# Focus is on accountability (logging) and session security (screen lock).
# All settings are User Configuration (HKCU).

@{
    GPOName     = 'Admins-01'
    Description = 'Admin account policy -- session lock, PS logging, taskbar cleanup'

    DisableComputerConfiguration = $true

    LinkTo = 'OU=ExampleAdmins,DC=example,DC=internal'

    # No security policy settings -- admin privileges come from group membership, not GPO
    SecurityPolicy = @{}

    RegistrySettings = @(

        # =============================================================
        # Session Security -- Screensaver Lock
        # =============================================================

        # Enable screensaver (required for timeout lock to work)
        @{
            Key       = 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop'
            ValueName = 'ScreenSaveActive'
            Type      = 'String'
            Value     = '1'
        }

        # Screensaver timeout: 10 minutes (600 seconds)
        @{
            Key       = 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop'
            ValueName = 'ScreenSaveTimeOut'
            Type      = 'String'
            Value     = '600'
        }

        # Password-protect the screensaver (require unlock)
        @{
            Key       = 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop'
            ValueName = 'ScreenSaverIsSecure'
            Type      = 'String'
            Value     = '1'
        }

        # =============================================================
        # Accountability -- PowerShell Logging
        # =============================================================

        # Enable PowerShell script block logging
        @{
            Key       = 'HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
            ValueName = 'EnableScriptBlockLogging'
            Type      = 'DWord'
            Value     = 1
        }

        # Enable PowerShell transcription
        @{
            Key       = 'HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription'
            ValueName = 'EnableTranscripting'
            Type      = 'DWord'
            Value     = 1
        }

        # =============================================================
        # Taskbar Cleanup
        # =============================================================

        # Disable Windows Copilot
        @{
            Key       = 'HKCU\Software\Policies\Microsoft\Windows\WindowsCopilot'
            ValueName = 'TurnOffWindowsCopilot'
            Type      = 'DWord'
            Value     = 1
        }

        # Hide Widgets on taskbar
        @{
            Key       = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced'
            ValueName = 'TaskbarDa'
            Type      = 'DWord'
            Value     = 0
        }

        # Hide Search box on taskbar (0=Hidden, 1=Icon, 2=Full box)
        @{
            Key       = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Search'
            ValueName = 'SearchboxTaskbarMode'
            Type      = 'DWord'
            Value     = 0
        }
    )
}