declarative-ad-framework/gpo/adminworkstations-01/README.md

# AdminWorkstations-01 GPO

Privileged Access Workstation (PAW) policy for admin endpoints in the ExampleAdminWorkstations OU.

## Linked To

`OU=ExampleAdminWorkstations,DC=example,DC=internal`

## Design

Builds on the same foundation as Workstations-01 but with:

- **Full audit coverage** -- every category audits both success and failure (including process tracking)
- **PowerShell transcription** -- complete session recording to `C:\PSlogs\Transcripts` for forensics
- **Module logging** -- all PowerShell modules logged
- **Command line in process creation** -- Event ID 4688 includes full command line
- **Larger event logs** -- 2x workstation sizes to accommodate heavier admin activity
- **Tighter inactivity timeout** -- 10 min vs 15 min for workstations

## WMI Filter

| Property | Value |
|---|---|
| Name | Workstations Only |
| Query | `SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1` |

Defense-in-depth: ensures this GPO only applies to workstation operating systems.

## Restricted Groups

| Local Group | Enforced Members |
|---|---|
| BUILTIN\Administrators | Domain Admins, MasterAdmins |

Any locally-added administrator accounts are removed on next GPO refresh.

## Security Policy Settings (GptTmpl.inf)

### System Access

| Setting | Value | Effect |
|---|---|---|
| EnableGuestAccount | 0 | Local guest account disabled |

### Event Audit

| Setting | Value | Effect |
|---|---|---|
| AuditSystemEvents | 3 | Success + Failure |
| AuditLogonEvents | 3 | Success + Failure |
| AuditObjectAccess | 3 | Success + Failure |
| AuditPrivilegeUse | 3 | Success + Failure |
| AuditPolicyChange | 3 | Success + Failure |
| AuditAccountManage | 3 | Success + Failure |
| AuditProcessTracking | 1 | Success |
| AuditDSAccess | 0 | None (not a DC) |
| AuditAccountLogon | 3 | Success + Failure |

### Registry Values (Security Options)

| Setting | Value | Effect |
|---|---|---|
| InactivityTimeoutSecs | 600 | Auto-lock after 10 minutes |
| DontDisplayLastUserName | 1 | Don't show last user at login screen |
| DisableCAD | 0 | Require Ctrl+Alt+Del |
| LocalAccountTokenFilterPolicy | 1 | Allow unfiltered admin tokens over WinRM (enables remote GPO/AD management without RDP) |

## Registry Settings (Administrative Templates)

### Autorun / Autoplay

| Key | ValueName | Value | Effect |
|---|---|---|---|
| Policies\Explorer | NoDriveTypeAutoRun | 255 | Disable autorun on all drives |
| Policies\Explorer | NoAutorun | 1 | Disable autoplay |

### Windows Update

| Key | ValueName | Value | Effect |
|---|---|---|---|
| WindowsUpdate\AU | NoAutoUpdate | 0 | Enable automatic updates |
| WindowsUpdate\AU | AUOptions | 4 | Auto download + schedule install |
| WindowsUpdate\AU | ScheduledInstallDay | 0 | Every day |
| WindowsUpdate\AU | ScheduledInstallTime | 3 | 3:00 AM |

### Logging & Auditing

| Key | ValueName | Value | Effect |
|---|---|---|---|
| PowerShell\ScriptBlockLogging | EnableScriptBlockLogging | 1 | Log all script blocks |
| PowerShell\Transcription | EnableTranscripting | 1 | Record full PS sessions |
| PowerShell\Transcription | OutputDirectory | C:\PSlogs\Transcripts | Transcript save location |
| PowerShell\Transcription | EnableInvocationHeader | 1 | Timestamp per command |
| PowerShell\ModuleLogging | EnableModuleLogging | 1 | Log all module activity |
| PowerShell\ModuleLogging\ModuleNames | * | * | All modules |
| System\Audit | ProcessCreationIncludeCmdLine_Enabled | 1 | Command line in Event 4688 |

### Event Log Sizes

| Log | Size | vs. Workstations-01 |
|---|---|---|
| Application | 64 MB | 2x |
| Security | 256 MB | ~1.3x |
| System | 64 MB | 2x |
| PowerShell | 64 MB | new |

### Remote Desktop

| Key | ValueName | Value | Effect |
|---|---|---|---|
| Terminal Services | UserAuthentication | 1 | Require NLA |