Import-Module GroupPolicy # Nom de la GPO $gpoName = "Sécurité - Verrouillage postes" $ouTarget = "OU=Postes,DC=tondomaine,DC=local" # <- À ADAPTER # Créer la GPO $gpo = New-GPO -Name $gpoName -Comment "Renforcement sécurité poste utilisateur" # Lier à l'OU New-GPLink -Name $gpo.DisplayName -Target $ouTarget # ------------------------ # PARAMÈTRES GPO APPLIQUÉS # ------------------------ # 1. Verrouillage du panneau de configuration Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoControlPanel" -Type DWord -Value 1 # 2. Verrouillage CMD & PowerShell Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\System" -ValueName "DisableCMD" -Type DWord -Value 1 Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\PowerShell" -ValueName "EnableScripts" -Type DWord -Value 0 # 3. Désactivation du hash LAN Manager Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "NoLMHash" -Type DWord -Value 1 # 4. Désactiver installation sans mot de passe admin Set-GPRegistryValue -Name $gpoName -Key "HKLM\Software\Policies\Microsoft\Windows\Installer" -ValueName "DisableMSI" -Type DWord -Value 1 # 5. Désactivation du compte invité Set-GPRegistryValue -Name $gpoName -Key "HKLM\SAM\SAM\Domains\Account\Users\Names\Guest" -ValueName "Enabled" -Type DWord -Value 0 # 6. Politique de mot de passe (complexité et longueur) Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "PasswordComplexity" -Type DWord -Value 1 Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "MinimumPasswordLength" -Type DWord -Value 10 # 7. Expiration du mot de passe (90 jours) Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -ValueName "MaximumPasswordAge" -Type DWord -Value 90 # 8. Blocage énumération SID anonymes Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "RestrictAnonymousSAM" -Type DWord -Value 1 Write-Host "GPO '$gpoName' créée et liée à $ouTarget"