Import-Module GroupPolicy $Dom = Read-Host "Nom du domain (sans .local): " $Ou = Read-Host "Nom de la nouvelle OU : " New-ADOrganizationalUnit -Name "$Ou" -Path "DC=$Dom,DC=local" # Nom de la GPO $ouTarget = "OU=Postes,DC=$Dom,DC=local" $gpoName = "Securite - Verrouillage postes" # Créer la GPO New-GPO -Name "Securite - Verrouillage postes" -Comment "Renforcement securite poste utilisateur" | New-GPLink -Target $ouTarget -LinkEnabled Yes # ----------------------- # PARAMÈTRES GPO APPLIQUÉS # ----------------------- # 1. Verrouillage du panneau de configuration Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoControlPanel" -Type DWord -Value 1 # 2. Verrouillage CMD & PowerShell Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\System" -ValueName "DisableCMD" -Type DWord -Value 1 Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\PowerShell" -ValueName "EnableScripts" -Type DWord -Value 0 # 3. Désactivation du hash LAN Manager Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "NoLMHash" -Type DWord -Value 1 # 4. Désactiver installation sans mot de passe admin Set-GPRegistryValue -Name $gpoName -Key "HKLM\Software\Policies\Microsoft\Windows\Installer" -ValueName "DisableMSI" -Type DWord -Value 1 # 5. Désactivation du compte invité Set-GPRegistryValue -Name $gpoName -Key "HKLM\SAM\SAM\Domains\Account\Users\Names\Guest" -ValueName "Enabled" -Type DWord -Value 0 # 6. Politique de mot de passe (complexité et longueur) Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "PasswordComplexity" -Type DWord -Value 1 Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "MinimumPasswordLength" -Type DWord -Value 10 # 7. Expiration du mot de passe (90 jours) Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -ValueName "MaximumPasswordAge" -Type DWord -Value 90 # 8. Blocage énumération SID anonymes Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "RestrictAnonymousSAM" -Type DWord -Value 1 Write-Host "GPO '$gpoName' crer et lie a $ouTarget"