43 lines
2.3 KiB
PowerShell
Executable File
43 lines
2.3 KiB
PowerShell
Executable File
Import-Module GroupPolicy
|
|
|
|
$Dom = Read-Host "Nom du domain (sans .local): "
|
|
$Ou = Read-Host "Nom de la nouvelle OU : "
|
|
New-ADOrganizationalUnit -Name "$Ou" -Path "DC=$Dom,DC=local"
|
|
# Nom de la GPO
|
|
$ouTarget = "OU=Postes,DC=$Dom,DC=local"
|
|
$gpoName = "Securite - Verrouillage postes"
|
|
# Créer la GPO
|
|
New-GPO -Name "Securite - Verrouillage postes" -Comment "Renforcement securite poste utilisateur" | New-GPLink -Target $ouTarget -LinkEnabled Yes
|
|
|
|
# -----------------------
|
|
# PARAMÈTRES GPO APPLIQUÉS
|
|
# -----------------------
|
|
|
|
# 1. Verrouillage du panneau de configuration
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" -ValueName "NoControlPanel" -Type DWord -Value 1
|
|
|
|
# 2. Verrouillage CMD & PowerShell
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\System" -ValueName "DisableCMD" -Type DWord -Value 1
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKCU\Software\Policies\Microsoft\Windows\PowerShell" -ValueName "EnableScripts" -Type DWord -Value 0
|
|
|
|
# 3. Désactivation du hash LAN Manager
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "NoLMHash" -Type DWord -Value 1
|
|
|
|
# 4. Désactiver installation sans mot de passe admin
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKLM\Software\Policies\Microsoft\Windows\Installer" -ValueName "DisableMSI" -Type DWord -Value 1
|
|
|
|
# 5. Désactivation du compte invité
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKLM\SAM\SAM\Domains\Account\Users\Names\Guest" -ValueName "Enabled" -Type DWord -Value 0
|
|
|
|
# 6. Politique de mot de passe (complexité et longueur)
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "PasswordComplexity" -Type DWord -Value 1
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "MinimumPasswordLength" -Type DWord -Value 10
|
|
|
|
# 7. Expiration du mot de passe (90 jours)
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -ValueName "MaximumPasswordAge" -Type DWord -Value 90
|
|
|
|
# 8. Blocage énumération SID anonymes
|
|
Set-GPRegistryValue -Name $gpoName -Key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" -ValueName "RestrictAnonymousSAM" -Type DWord -Value 1
|
|
|
|
Write-Host "GPO '$gpoName' crer et lie a $ouTarget"
|