projects/declarative-ad-framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
declarative-ad-framework/gpo/admins-01
History
Damien Coles f172d00514 Initial release: Declarative AD Framework v2.1.0 
Infrastructure-as-code framework for Active Directory objects and Group Policy.
Sanitized from production deployment for public sharing.
2026-02-19 17:02:42 +00:00
..
README.md
Initial release: Declarative AD Framework v2.1.0
2026-02-19 17:02:42 +00:00
settings.ps1
Initial release: Declarative AD Framework v2.1.0
2026-02-19 17:02:42 +00:00

README.md

Admins-01 GPO

GUID: Auto-created on first Apply-GPOBaseline.ps1 run Linked to: OU=ExampleAdmins,DC=example,DC=internal Scope: User Configuration (HKCU) -- Administrative Templates only

This GPO applies to delegated administrator accounts in the ExampleAdmins OU. Unlike Users-01, it does NOT restrict access to management tools (regedit, cmd, Run, etc.). Instead it focuses on session security and accountability.

Settings

Session Security

Setting Value Effect
ScreenSaveActive 1 Enable screensaver (required for lock timeout)
ScreenSaveTimeOut 600 Lock screen after 10 minutes idle
ScreenSaverIsSecure 1 Require password to unlock

Accountability

Setting Value Effect
EnableScriptBlockLogging 1 Logs all PowerShell script blocks to event log
EnableTranscripting 1 Full transcript of all PowerShell sessions

Taskbar Cleanup

Setting Value Effect
TurnOffWindowsCopilot 1 Disables Windows Copilot
TaskbarDa 0 Hides Widgets
SearchboxTaskbarMode 0 Hides Search box

Design Rationale

Admins need unrestricted access to system tools. The policies here enforce:

  1. Session security -- unattended admin sessions auto-lock after 10 minutes
  2. Audit trail -- all PowerShell activity is logged for forensic review
  3. Clean workspace -- distracting taskbar elements removed

Actual admin privileges come from membership in the DelegatedAdmins security group, not from this GPO.