# Workstations-01 GPO

**GUID:** Auto-created on first `Apply-GPOBaseline.ps1` run
**Linked to:** `OU=ExampleWorkstations,DC=example,DC=internal`
**Scope:** Computer Configuration (HKLM) -- Security Policy + Administrative Templates

This GPO applies to all computer objects in the ExampleWorkstations OU. It uses both SecurityPolicy (GptTmpl.inf) and RegistrySettings (Set-GPRegistryValue).

## Settings

### Security Policy (GptTmpl.inf)

#### System Access

| Setting | Value | Effect |
|---|---|---|
| EnableGuestAccount | 0 | Disables the local guest account |

#### Event Audit

| Setting | Value | Effect |
|---|---|---|
| AuditSystemEvents | 1 | Success |
| AuditLogonEvents | 3 | Success + Failure |
| AuditObjectAccess | 2 | Failure |
| AuditPrivilegeUse | 2 | Failure |
| AuditPolicyChange | 1 | Success |
| AuditAccountManage | 3 | Success + Failure |
| AuditProcessTracking | 0 | No auditing |
| AuditDSAccess | 0 | No auditing (irrelevant for workstations) |
| AuditAccountLogon | 3 | Success + Failure |

#### Security Options (Registry Values in GptTmpl.inf)

| Setting | Value | Effect |
|---|---|---|
| InactivityTimeoutSecs | 900 | Lock screen after 15 minutes idle |
| DontDisplayLastUserName | 1 | Login screen does not reveal usernames |
| DisableCAD | 0 | Ctrl+Alt+Del required at login |

### Administrative Templates (Registry-based)

#### Autorun / Autoplay

| Setting | Value | Effect |
|---|---|---|
| NoDriveTypeAutoRun | 255 | Disable autorun on all drive types |
| NoAutorun | 1 | Disable autoplay entirely |

#### Windows Update

| Setting | Value | Effect |
|---|---|---|
| NoAutoUpdate | 0 | Automatic updates enabled |
| AUOptions | 4 | Auto download + scheduled install |
| ScheduledInstallDay | 0 | Every day |
| ScheduledInstallTime | 3 | 3:00 AM |

#### Logging & Auditing

| Setting | Value | Effect |
|---|---|---|
| EnableScriptBlockLogging | 1 | PowerShell script block logging enabled |
| Application MaxSize | 32768 KB | 32 MB application event log |
| Security MaxSize | 196608 KB | 192 MB security event log |
| System MaxSize | 32768 KB | 32 MB system event log |

#### Remote Desktop

| Setting | Value | Effect |
|---|---|---|
| UserAuthentication | 1 | Network Level Authentication required for RDP |

## WMI Filter

| Property | Value |
|---|---|
| Name | Workstations Only |
| Query | `SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1` |

Defense-in-depth: ensures this GPO only applies to workstation operating systems, even if a server object lands in the ExampleWorkstations OU by mistake.

## Restricted Groups

| Local Group | Enforced Members |
|---|---|
| BUILTIN\Administrators | Domain Admins, MasterAdmins |

Any locally-added administrator accounts are removed on next GPO refresh. This prevents local admin creep on workstations.

## Notes

- First GPO in this repo to use both SecurityPolicy and RegistrySettings together
- Audit policy uses legacy categories (not Advanced Audit Policy Configuration subcategories)
- Event log sizes are generous -- 192 MB security log supports forensic investigation
- Windows Update schedule assumes workstations are powered on overnight or use wake timers