Improve GPO option

[0x6d69636b]

@gderybel build the GPO option in this PR https://github.com/0x6d69636b/windows_hardening/pull/147.

This issue is here to improve this option and insert additional functionality.

Last comment of @gderybel:

Thanks for your feedback, I was focused on the implementation with account policies and I got solutions but I don't know which one I should choose (actually, you can't create a GPO that deploy a password policy) :

1. I deploy the password policy to the whole domain using "Set-ADDefaultDomainPasswordPolicy"

2. I apply a password policy to a User Group using "Set-ADFineGrainedPasswordPolicy"

3. I create a GPO that execute HardeningKitty with the finding list

All of these solutions have at least a problem :

1. The whole domain will be concerned, while a GPO will only apply to a specific OU (too large scope and not fitting with GPO method)

2. Only a user group is concerned, while a GPO will only apply to a specific OU (too small scope and not fitting with GPO method)

3. This policy will probably not apply to domain users, it will be overrides by DomainPasswordPolicy, but will maybe apply to local accounts on the computers receiving GPOs (not very effective but fitting with GPO method)

I've searched for a way to apply a password policy to an OU but I can't find out something that work has expected.

What solution would you prefer ?

I would personally choose the first one that applies to the whole domain because it's the one that's more effective.

UPDATE : The third option is tricky to setup, I was planning to use HKLM:\Software\Microsoft\Windows\CurrentVersion\Run key that run a command each time a user connect, but the command won't run as admin since the user is not an admin.

[0x6d69636b]

I would be very cautious about making changes to an entire domain or users/groups. I think we should not implement any modules that cannot be covered in a policy.