Damien Coles
f172d00514
Infrastructure-as-code framework for Active Directory objects and Group Policy. Sanitized from production deployment for public sharing.
42 lines
1.5 KiB
Markdown
42 lines
1.5 KiB
Markdown
# Admins-01 GPO
|
|
|
|
**GUID:** Auto-created on first `Apply-GPOBaseline.ps1` run
|
|
**Linked to:** `OU=ExampleAdmins,DC=example,DC=internal`
|
|
**Scope:** User Configuration (HKCU) -- Administrative Templates only
|
|
|
|
This GPO applies to delegated administrator accounts in the ExampleAdmins OU. Unlike Users-01, it does NOT restrict access to management tools (regedit, cmd, Run, etc.). Instead it focuses on session security and accountability.
|
|
|
|
## Settings
|
|
|
|
### Session Security
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| ScreenSaveActive | 1 | Enable screensaver (required for lock timeout) |
|
|
| ScreenSaveTimeOut | 600 | Lock screen after 10 minutes idle |
|
|
| ScreenSaverIsSecure | 1 | Require password to unlock |
|
|
|
|
### Accountability
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| EnableScriptBlockLogging | 1 | Logs all PowerShell script blocks to event log |
|
|
| EnableTranscripting | 1 | Full transcript of all PowerShell sessions |
|
|
|
|
### Taskbar Cleanup
|
|
|
|
| Setting | Value | Effect |
|
|
|---|---|---|
|
|
| TurnOffWindowsCopilot | 1 | Disables Windows Copilot |
|
|
| TaskbarDa | 0 | Hides Widgets |
|
|
| SearchboxTaskbarMode | 0 | Hides Search box |
|
|
|
|
## Design Rationale
|
|
|
|
Admins need unrestricted access to system tools. The policies here enforce:
|
|
1. **Session security** -- unattended admin sessions auto-lock after 10 minutes
|
|
2. **Audit trail** -- all PowerShell activity is logged for forensic review
|
|
3. **Clean workspace** -- distracting taskbar elements removed
|
|
|
|
Actual admin privileges come from membership in the DelegatedAdmins security group, not from this GPO.
|