projects/declarative-ad-framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
declarative-ad-framework/gpo/workstations-01/README.md
Damien Coles f172d00514 Initial release: Declarative AD Framework v2.1.0 
Infrastructure-as-code framework for Active Directory objects and Group Policy.
Sanitized from production deployment for public sharing.
2026-02-19 17:02:42 +00:00

3.1 KiB
Raw Permalink Blame History

Workstations-01 GPO

GUID: Auto-created on first Apply-GPOBaseline.ps1 run Linked to: OU=ExampleWorkstations,DC=example,DC=internal Scope: Computer Configuration (HKLM) -- Security Policy + Administrative Templates

This GPO applies to all computer objects in the ExampleWorkstations OU. It uses both SecurityPolicy (GptTmpl.inf) and RegistrySettings (Set-GPRegistryValue).

Settings

Security Policy (GptTmpl.inf)

System Access

Setting Value Effect
EnableGuestAccount 0 Disables the local guest account

Event Audit

Setting Value Effect
AuditSystemEvents 1 Success
AuditLogonEvents 3 Success + Failure
AuditObjectAccess 2 Failure
AuditPrivilegeUse 2 Failure
AuditPolicyChange 1 Success
AuditAccountManage 3 Success + Failure
AuditProcessTracking 0 No auditing
AuditDSAccess 0 No auditing (irrelevant for workstations)
AuditAccountLogon 3 Success + Failure

Security Options (Registry Values in GptTmpl.inf)

Setting Value Effect
InactivityTimeoutSecs 900 Lock screen after 15 minutes idle
DontDisplayLastUserName 1 Login screen does not reveal usernames
DisableCAD 0 Ctrl+Alt+Del required at login

Administrative Templates (Registry-based)

Autorun / Autoplay

Setting Value Effect
NoDriveTypeAutoRun 255 Disable autorun on all drive types
NoAutorun 1 Disable autoplay entirely

Windows Update

Setting Value Effect
NoAutoUpdate 0 Automatic updates enabled
AUOptions 4 Auto download + scheduled install
ScheduledInstallDay 0 Every day
ScheduledInstallTime 3 3:00 AM

Logging & Auditing

Setting Value Effect
EnableScriptBlockLogging 1 PowerShell script block logging enabled
Application MaxSize 32768 KB 32 MB application event log
Security MaxSize 196608 KB 192 MB security event log
System MaxSize 32768 KB 32 MB system event log

Remote Desktop

Setting Value Effect
UserAuthentication 1 Network Level Authentication required for RDP

WMI Filter

Property Value
Name Workstations Only
Query SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1

Defense-in-depth: ensures this GPO only applies to workstation operating systems, even if a server object lands in the ExampleWorkstations OU by mistake.

Restricted Groups

Local Group Enforced Members
BUILTIN\Administrators Domain Admins, MasterAdmins

Any locally-added administrator accounts are removed on next GPO refresh. This prevents local admin creep on workstations.

Notes

  • First GPO in this repo to use both SecurityPolicy and RegistrySettings together
  • Audit policy uses legacy categories (not Advanced Audit Policy Configuration subcategories)
  • Event log sizes are generous -- 192 MB security log supports forensic investigation
  • Windows Update schedule assumes workstations are powered on overnight or use wake timers