projects/declarative-ad-framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
declarative-ad-framework/gpo/adminworkstations-01/README.md
Damien Coles f172d00514 Initial release: Declarative AD Framework v2.1.0 
Infrastructure-as-code framework for Active Directory objects and Group Policy.
Sanitized from production deployment for public sharing.
2026-02-19 17:02:42 +00:00

3.7 KiB
Raw Blame History

AdminWorkstations-01 GPO

Privileged Access Workstation (PAW) policy for admin endpoints in the ExampleAdminWorkstations OU.

Linked To

OU=ExampleAdminWorkstations,DC=example,DC=internal

Design

Builds on the same foundation as Workstations-01 but with:

  • Full audit coverage -- every category audits both success and failure (including process tracking)
  • PowerShell transcription -- complete session recording to C:\PSlogs\Transcripts for forensics
  • Module logging -- all PowerShell modules logged
  • Command line in process creation -- Event ID 4688 includes full command line
  • Larger event logs -- 2x workstation sizes to accommodate heavier admin activity
  • Tighter inactivity timeout -- 10 min vs 15 min for workstations

WMI Filter

Property Value
Name Workstations Only
Query SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1

Defense-in-depth: ensures this GPO only applies to workstation operating systems.

Restricted Groups

Local Group Enforced Members
BUILTIN\Administrators Domain Admins, MasterAdmins

Any locally-added administrator accounts are removed on next GPO refresh.

Security Policy Settings (GptTmpl.inf)

System Access

Setting Value Effect
EnableGuestAccount 0 Local guest account disabled

Event Audit

Setting Value Effect
AuditSystemEvents 3 Success + Failure
AuditLogonEvents 3 Success + Failure
AuditObjectAccess 3 Success + Failure
AuditPrivilegeUse 3 Success + Failure
AuditPolicyChange 3 Success + Failure
AuditAccountManage 3 Success + Failure
AuditProcessTracking 1 Success
AuditDSAccess 0 None (not a DC)
AuditAccountLogon 3 Success + Failure

Registry Values (Security Options)

Setting Value Effect
InactivityTimeoutSecs 600 Auto-lock after 10 minutes
DontDisplayLastUserName 1 Don't show last user at login screen
DisableCAD 0 Require Ctrl+Alt+Del
LocalAccountTokenFilterPolicy 1 Allow unfiltered admin tokens over WinRM (enables remote GPO/AD management without RDP)

Registry Settings (Administrative Templates)

Autorun / Autoplay

Key ValueName Value Effect
Policies\Explorer NoDriveTypeAutoRun 255 Disable autorun on all drives
Policies\Explorer NoAutorun 1 Disable autoplay

Windows Update

Key ValueName Value Effect
WindowsUpdate\AU NoAutoUpdate 0 Enable automatic updates
WindowsUpdate\AU AUOptions 4 Auto download + schedule install
WindowsUpdate\AU ScheduledInstallDay 0 Every day
WindowsUpdate\AU ScheduledInstallTime 3 3:00 AM

Logging & Auditing

Key ValueName Value Effect
PowerShell\ScriptBlockLogging EnableScriptBlockLogging 1 Log all script blocks
PowerShell\Transcription EnableTranscripting 1 Record full PS sessions
PowerShell\Transcription OutputDirectory C:\PSlogs\Transcripts Transcript save location
PowerShell\Transcription EnableInvocationHeader 1 Timestamp per command
PowerShell\ModuleLogging EnableModuleLogging 1 Log all module activity
PowerShell\ModuleLogging\ModuleNames * * All modules
System\Audit ProcessCreationIncludeCmdLine_Enabled 1 Command line in Event 4688

Event Log Sizes

Log Size vs. Workstations-01
Application 64 MB 2x
Security 256 MB ~1.3x
System 64 MB 2x
PowerShell 64 MB new

Remote Desktop

Key ValueName Value Effect
Terminal Services UserAuthentication 1 Require NLA