declarative-ad-framework/gpo/default-domain/settings.ps1

# Default Domain Policy -- Settings Declaration
# GPO GUID: {31B2F340-016D-11D2-945F-00C04FB984F9} (built-in, same on all domains)
# Linked to: example.internal (domain root)
#
# This GPO controls domain-wide password, account lockout, and Kerberos policies.
# These settings ONLY take effect at the domain level -- they are ignored in OU-level GPOs.

@{
    GPOName     = 'Default Domain Policy'
    Description = 'Domain-wide password, account lockout, and Kerberos policies'

    DisableUserConfiguration = $true

    # No link management needed -- auto-linked at domain creation
    LinkTo = $null

    SecurityPolicy = @{

        'System Access' = [ordered]@{
            # --- Password Policy ---
            MinimumPasswordAge           = 1       # Days before password can be changed
            MaximumPasswordAge           = 42      # Days before password must be changed
            MinimumPasswordLength        = 7       # Minimum characters (consider 14+)
            PasswordComplexity           = 1       # 1=Enabled: requires 3 of 4 char types
            PasswordHistorySize          = 24      # Previous passwords remembered
            ClearTextPassword            = 0       # 0=Disabled: no reversible encryption
            RequireLogonToChangePassword = 0       # 0=Disabled
            ForceLogoffWhenHourExpire    = 0       # 0=Disabled: sessions continue after hours expire
            LSAAnonymousNameLookup       = 0       # 0=Disabled: block anonymous SID-to-name resolution

            # --- Account Lockout Policy ---
            LockoutBadCount              = 5       # Failed attempts before lockout
            ResetLockoutCount            = 30      # Minutes before counter resets
            LockoutDuration              = 30      # Minutes account stays locked
        }

        'Kerberos Policy' = [ordered]@{
            MaxTicketAge         = 10      # TGT lifetime in hours
            MaxRenewAge          = 7       # TGT max renewal in days
            MaxServiceAge        = 600     # Service ticket lifetime in minutes
            MaxClockSkew         = 5       # Max clock difference in minutes
            TicketValidateClient = 1       # 1=Enabled: validate client identity
        }

        'Registry Values' = [ordered]@{
            # Do not store LAN Manager hash -- LM hashes are trivially crackable
            'MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash' = '4,1'  # REG_DWORD=1
        }
    }

    # No registry-based (Administrative Template) settings in this GPO
    RegistrySettings = @()
}