declarative-ad-framework/gpo/default-domain-controller/settings.ps1

# Default Domain Controllers Policy -- Settings Declaration
# GPO GUID: {6AC1786C-016F-11D2-945F-00C04FB984F9} (built-in, same on all domains)
# Linked to: OU=Domain Controllers,DC=example,DC=internal
#
# This GPO controls user rights assignments and security options for domain controllers.
# Privilege Rights use *SID notation as required by GptTmpl.inf format.

# Resolve custom group SIDs at evaluation time so they stay correct if groups are recreated
$masterAdminsSID = (Get-ADGroup -Identity 'MasterAdmins').SID.Value

@{
    GPOName     = 'Default Domain Controllers Policy'
    Description = 'User rights assignments, security options, and signing requirements for domain controllers'

    DisableUserConfiguration = $true

    # Already linked at domain creation
    LinkTo = $null

    SecurityPolicy = @{

        'Registry Values' = [ordered]@{
            # LDAP server signing: 1=None (signing supported but not required)
            'MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity'                       = '4,1'
            # Secure channel: always encrypt or sign
            'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal'                      = '4,1'
            # SMB server: always require signing
            'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature'           = '4,1'
            # SMB server: sign if client agrees
            'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature'            = '4,1'
        }

        'Privilege Rights' = [ordered]@{
            # --- Token and Process Privileges ---

            # Replace a process-level token
            SeAssignPrimaryTokenPrivilege    = '*S-1-5-20,*S-1-5-19'
                # NETWORK SERVICE, LOCAL SERVICE

            # Generate security audits
            SeAuditPrivilege                 = '*S-1-5-99-216390572-1995538116-3857911515-2404958512-2623887229,*S-1-5-20,*S-1-5-19'
                # PrintSpoolerService, NETWORK SERVICE, LOCAL SERVICE

            # Debug programs
            SeDebugPrivilege                 = '*S-1-5-32-544'
                # Administrators

            # --- Backup and Restore ---

            # Back up files and directories
            SeBackupPrivilege                = '*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544'
                # Server Operators, Backup Operators, Administrators

            # Restore files and directories
            SeRestorePrivilege               = '*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544'
                # Server Operators, Backup Operators, Administrators

            # --- Logon Rights ---

            # Log on as a batch job
            SeBatchLogonRight                = '*S-1-5-32-559,*S-1-5-32-551,*S-1-5-32-544'
                # Performance Log Users, Backup Operators, Administrators

            # Allow log on locally
            SeInteractiveLogonRight          = '*S-1-5-9,*S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-548,*S-1-5-32-551,*S-1-5-32-544'
                # Enterprise DCs, Print Operators, Server Operators, Account Operators, Backup Operators, Administrators

            # Allow log on through Remote Desktop Services
            SeRemoteInteractiveLogonRight    = "*S-1-5-32-544,*$masterAdminsSID"
                # Administrators, MasterAdmins

            # Access this computer from the network
            SeNetworkLogonRight              = '*S-1-5-32-554,*S-1-5-9,*S-1-5-11,*S-1-5-32-544,*S-1-1-0'
                # Pre-Windows 2000 Compatible Access, Enterprise DCs, Authenticated Users, Administrators, Everyone

            # Bypass traverse checking
            SeChangeNotifyPrivilege          = '*S-1-5-32-554,*S-1-5-11,*S-1-5-99-216390572-1995538116-3857911515-2404958512-2623887229,*S-1-5-32-544,*S-1-5-20,*S-1-5-19,*S-1-1-0'
                # Pre-Windows 2000, Authenticated Users, PrintSpoolerService, Administrators, NETWORK SERVICE, LOCAL SERVICE, Everyone

            # --- Domain and Machine Management ---

            # Add workstations to domain
            SeMachineAccountPrivilege        = '*S-1-5-11'
                # Authenticated Users

            # Enable delegation
            SeEnableDelegationPrivilege      = '*S-1-5-32-544'
                # Administrators

            # --- System Privileges ---

            # Create a pagefile
            SeCreatePagefilePrivilege        = '*S-1-5-32-544'
                # Administrators

            # Increase scheduling priority
            SeIncreaseBasePriorityPrivilege  = '*S-1-5-90-0,*S-1-5-32-544'
                # Window Manager Group, Administrators

            # Adjust memory quotas for a process
            SeIncreaseQuotaPrivilege         = '*S-1-5-32-544,*S-1-5-20,*S-1-5-19'
                # Administrators, NETWORK SERVICE, LOCAL SERVICE

            # Load and unload device drivers
            SeLoadDriverPrivilege            = '*S-1-5-32-550,*S-1-5-32-544'
                # Print Operators, Administrators

            # Profile single process
            SeProfileSingleProcessPrivilege  = '*S-1-5-32-544'
                # Administrators

            # Profile system performance
            SeSystemProfilePrivilege         = '*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420,*S-1-5-32-544'
                # WdiServiceHost, Administrators

            # --- Shutdown ---

            # Force shutdown from a remote system
            SeRemoteShutdownPrivilege        = '*S-1-5-32-549,*S-1-5-32-544'
                # Server Operators, Administrators

            # Shut down the system
            SeShutdownPrivilege              = '*S-1-5-32-550,*S-1-5-32-549,*S-1-5-32-551,*S-1-5-32-544'
                # Print Operators, Server Operators, Backup Operators, Administrators

            # --- Security and Audit ---

            # Manage auditing and security log
            SeSecurityPrivilege              = '*S-1-5-32-544'
                # Administrators

            # Take ownership of files or other objects
            SeTakeOwnershipPrivilege         = '*S-1-5-32-544'
                # Administrators

            # --- Environment and Hardware ---

            # Modify firmware environment values
            SeSystemEnvironmentPrivilege     = '*S-1-5-32-544'
                # Administrators

            # Change the system time
            SeSystemTimePrivilege            = '*S-1-5-32-549,*S-1-5-32-544,*S-1-5-19'
                # Server Operators, Administrators, LOCAL SERVICE

            # Remove computer from docking station
            SeUndockPrivilege                = '*S-1-5-32-544'
                # Administrators
        }
    }

    # No registry-based (Administrative Template) settings in this GPO
    RegistrySettings = @()
}