azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa4ac2ea37a32e0fde79ff87a109ffbcb01dc787
claudetools/.claude/temp/gpo-script1.ps1
Howard Enos 4c94254477 sync: auto-sync from HOWARD-HOME at 2026-05-20 14:53:36 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-05-20 14:53:36
2026-05-20 14:53:38 -07:00

106 lines
4.7 KiB
PowerShell
Raw Blame History

Import-Module GroupPolicy, ActiveDirectory -ErrorAction Stop
$ErrorActionPreference = 'Continue'
$domain = 'cascades.local'
$srv = 'CS-SERVER'
$sysvol = "\\$srv\SYSVOL\$domain\Policies"
Write-Output "=== 1. AD Account Cleanup ==="
$toDisable = @(
@{ SAM='britney.thompson'; Why='Departed 2026-04-22' }
@{ SAM='Richard.Adams'; Why='Driver - no longer gets IT access' }
@{ SAM='Julian.Crim'; Why='Driver - no longer gets IT access' }
@{ SAM='Christopher.Holick'; Why='Driver - no longer gets IT access' }
@{ SAM='Shontiel.Nunn'; Why='Old-format account - s.nunn (Caregivers) is correct' }
)
foreach ($a in $toDisable) {
try {
$u = Get-ADUser -Identity $a.SAM -Properties Enabled -ErrorAction Stop
if ($u.Enabled) { Disable-ADAccount -Identity $a.SAM; Write-Output " [OK] Disabled: $($a.SAM) - $($a.Why)" }
else { Write-Output " [--] Already disabled: $($a.SAM)" }
} catch { Write-Output " [ERROR] $($a.SAM): $_" }
}
Write-Output ""
Write-Output "=== 2. CSC - Security Baseline ==="
if (-not (Get-GPO -Name 'CSC - Security Baseline' -Domain $domain -ErrorAction SilentlyContinue)) {
New-GPO -Name 'CSC - Security Baseline' -Domain $domain `
-Comment 'Phase 2.6: 12-char password min, lockout 5/30, 15-min screen lock. UNLINKED - link at domain root during Phase 3.' | Out-Null
Write-Output " [OK] GPO created"
} else { Write-Output " [--] Already exists" }
foreach ($kv in @(
@{ N='ScreenSaveTimeOut'; V='900' }
@{ N='ScreenSaveActive'; V='1' }
@{ N='ScreenSaverIsSecure'; V='1' }
@{ N='SCRNSAVE.EXE'; V='scrnsave.scr' }
)) {
Set-GPRegistryValue -Name 'CSC - Security Baseline' `
-Key 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop' `
-ValueName $kv.N -Type String -Value $kv.V | Out-Null
}
Write-Output " [OK] Screen saver: 15 min idle, password on resume"
$gpo = Get-GPO -Name 'CSC - Security Baseline' -Domain $domain
$gpoPath = "$sysvol\{$($gpo.Id.ToString().ToUpper())}"
$secDir = "$gpoPath\Machine\Microsoft\Windows NT\SecEdit"
New-Item -Path $secDir -ItemType Directory -Force | Out-Null
$infLines = @(
'[Unicode]'
'Unicode=yes'
'[System Access]'
'MinimumPasswordLength = 12'
'PasswordComplexity = 1'
'PasswordHistorySize = 24'
'MaximumPasswordAge = 90'
'MinimumPasswordAge = 1'
'LockoutBadCount = 5'
'ResetLockoutCount = 30'
'LockoutDuration = 30'
'[Version]'
'signature="$CHICAGO$"'
'Revision=1'
)
$inf = $infLines -join "`r`n"
[System.IO.File]::WriteAllText("$secDir\GptTmpl.inf", $inf, [System.Text.Encoding]::Unicode)
Write-Output " [OK] GptTmpl.inf: password min 12, history 24, max-age 90, lockout 5/30"
$iniPath = "$gpoPath\GPT.INI"
$raw = [System.IO.File]::ReadAllText($iniPath)
$ver = 0; if ($raw -match '(?m)^Version=(\d+)') { $ver = [int]$Matches[1] }
$mVer = ($ver -band 0xFFFF) + 1
$uVer = ($ver -shr 16) -band 0xFFFF
$newVer = ($uVer -shl 16) -bor $mVer
$userExt = ''; if ($raw -match '(?m)^gPCUserExtensionNames=([^\r\n]+)') { $userExt = $Matches[1] }
$newIni = "[General]`r`nVersion=$newVer`r`ngPCMachineExtensionNames=[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]`r`n"
if ($userExt) { $newIni += "gPCUserExtensionNames=$userExt`r`n" }
[System.IO.File]::WriteAllText($iniPath, $newIni, [System.Text.Encoding]::ASCII)
Write-Output " [OK] GPT.INI updated with security extension"
Write-Output ""
Write-Output "=== 3. CSC - Windows Update ==="
if (-not (Get-GPO -Name 'CSC - Windows Update' -Domain $domain -ErrorAction SilentlyContinue)) {
New-GPO -Name 'CSC - Windows Update' -Domain $domain `
-Comment 'Phase 2.6: Auto download, scheduled install Sundays 3 AM, no auto-restart with active sessions. UNLINKED - link at domain root during Phase 3.' | Out-Null
Write-Output " [OK] GPO created"
} else { Write-Output " [--] Already exists" }
$wuKey = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
foreach ($kv in @(
@{ N='NoAutoUpdate'; V=0; T='DWord' }
@{ N='AUOptions'; V=4; T='DWord' }
@{ N='ScheduledInstallDay'; V=1; T='DWord' }
@{ N='ScheduledInstallTime'; V=3; T='DWord' }
@{ N='NoAutoRebootWithLoggedOnUsers'; V=1; T='DWord' }
@{ N='EnableFeaturedSoftware'; V=0; T='DWord' }
)) {
Set-GPRegistryValue -Name 'CSC - Windows Update' -Key $wuKey `
-ValueName $kv.N -Type $kv.T -Value $kv.V | Out-Null
}
Write-Output " [OK] Windows Update: auto DL, Sunday 3 AM install, no forced reboot"
Write-Output ""
Write-Output "=== CSC GPO Status ==="
Get-GPO -All -Domain $domain | Where-Object { $_.DisplayName -like 'CSC - *' } |
Select-Object DisplayName, GpoStatus | Sort-Object DisplayName | Format-Table -AutoSize
Reference in New Issue View Git Blame Copy Permalink