Workstations-01 GPO
GUID: Auto-created on first Apply-GPOBaseline.ps1 run
Linked to: OU=ExampleWorkstations,DC=example,DC=internal
Scope: Computer Configuration (HKLM) -- Security Policy + Administrative Templates
This GPO applies to all computer objects in the ExampleWorkstations OU. It uses both SecurityPolicy (GptTmpl.inf) and RegistrySettings (Set-GPRegistryValue).
Settings
Security Policy (GptTmpl.inf)
System Access
| Setting |
Value |
Effect |
| EnableGuestAccount |
0 |
Disables the local guest account |
Event Audit
| Setting |
Value |
Effect |
| AuditSystemEvents |
1 |
Success |
| AuditLogonEvents |
3 |
Success + Failure |
| AuditObjectAccess |
2 |
Failure |
| AuditPrivilegeUse |
2 |
Failure |
| AuditPolicyChange |
1 |
Success |
| AuditAccountManage |
3 |
Success + Failure |
| AuditProcessTracking |
0 |
No auditing |
| AuditDSAccess |
0 |
No auditing (irrelevant for workstations) |
| AuditAccountLogon |
3 |
Success + Failure |
Security Options (Registry Values in GptTmpl.inf)
| Setting |
Value |
Effect |
| InactivityTimeoutSecs |
900 |
Lock screen after 15 minutes idle |
| DontDisplayLastUserName |
1 |
Login screen does not reveal usernames |
| DisableCAD |
0 |
Ctrl+Alt+Del required at login |
Administrative Templates (Registry-based)
Autorun / Autoplay
| Setting |
Value |
Effect |
| NoDriveTypeAutoRun |
255 |
Disable autorun on all drive types |
| NoAutorun |
1 |
Disable autoplay entirely |
Windows Update
| Setting |
Value |
Effect |
| NoAutoUpdate |
0 |
Automatic updates enabled |
| AUOptions |
4 |
Auto download + scheduled install |
| ScheduledInstallDay |
0 |
Every day |
| ScheduledInstallTime |
3 |
3:00 AM |
Logging & Auditing
| Setting |
Value |
Effect |
| EnableScriptBlockLogging |
1 |
PowerShell script block logging enabled |
| Application MaxSize |
32768 KB |
32 MB application event log |
| Security MaxSize |
196608 KB |
192 MB security event log |
| System MaxSize |
32768 KB |
32 MB system event log |
Remote Desktop
| Setting |
Value |
Effect |
| UserAuthentication |
1 |
Network Level Authentication required for RDP |
WMI Filter
| Property |
Value |
| Name |
Workstations Only |
| Query |
SELECT * FROM Win32_OperatingSystem WHERE ProductType = 1 |
Defense-in-depth: ensures this GPO only applies to workstation operating systems, even if a server object lands in the ExampleWorkstations OU by mistake.
Restricted Groups
| Local Group |
Enforced Members |
| BUILTIN\Administrators |
Domain Admins, MasterAdmins |
Any locally-added administrator accounts are removed on next GPO refresh. This prevents local admin creep on workstations.
Notes
- First GPO in this repo to use both SecurityPolicy and RegistrySettings together
- Audit policy uses legacy categories (not Advanced Audit Policy Configuration subcategories)
- Event log sizes are generous -- 192 MB security log supports forensic investigation
- Windows Update schedule assumes workstations are powered on overnight or use wake timers
Damien Coles
f172d00514