Home

Tutorials

Active Directory

Active Directory Group Policy Restricted Groups (EN)

The management of local groups on Workstations and servers in an organization can be done centrally by Group Policies. One of the ways to do that is to use Group Policy Restricted Groups.

Below is a table that summarizes the membership that could be updated using Group Policy Restricted Groups:

	Local Group	Domain Group
Using of “Members”	Local Users Domain Users Domain Groups	Not applicable
Using “Member Of”	Not Applicable (*)	Local Groups

(*) Local Groups Nesting is not supported (http://technet.microsoft.com/en-us/library/ee681621(v=ws.10).aspx )

Creation of a new Restricted Groups Group Policy:

To create a new Restricted Groups Group Policy, proceed like the following:

Create a new Group Policy, go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups and then select Add Group… after doing a right click on Restricted Groups

Specify the name of the group to update its membership and then click on OK

If you would like to add members to the group then click Add … for Members of this group

If you would like to add the group as member of a local group then click on Add… for This group is member of

IMPORTANT: You should refer to the table that summarizes the membership that could be updated using Group Policy Restricted Groups before applying the new group policy.

Expected behavior when using a Restricted Groups Group Policy:

When using a Restricted Groups Group Policy, the following behavior is expected:

Type of update	Behavior
Update of “Members”	Any current member of the group that is not on the “Members” list will be removed (Local administrator user cannot be removed from Administrators group even if it is not in the “Members” list). All users / domain groups that are in the “Members” list and are not members of the group will be added as members.
Update of “Member of”	The membership is added if it does not exist

Microsoft support for Group Policy Restricted Groups:

Description of Group Policy Restricted Groups: http://support.microsoft.com/kb/279301

Tips:

Tip 1: It happens that, for operational tasks, a user needs to be added as member of a local group to perform an action and then removed later. If a Restricted Groups Group Policy is used for the local group members then the user can be added as member of the group and automatically removed after the re-appliance of the group policy.

Tip 2: To add new domain members to a local group using Group Policy Restricted Groups without removing the current members, you can proceed like the following:

Create a domain group and add the domain users / groups as member of it
Use “Member of” feature to add the new domain group as member of the needed local group

The latest tutorials

23/03/2019 How to identify active hosts in your networks and perform horizontal TCP port scans

06/03/2019 Stop perfecting your Active Directory Domain Services Password / Lockout Policies – It is time to invest on Multi-Factor Authentication and Compensating Controls

09/02/2019 An Effective Approach to Protect Administrative Accesses to Your Datacenters and Cloud Resources

17/01/2019 How to create a Lag Site for your Active Directory Domain Services setup

About Tunit

Tunit helps you plan your Microsoft systems integration and administration.

Certainly, having a good Management of your IT systems improve your Business performance while it can, when it is poorly managed, obstruct the responsiveness and efficiency of your organization. We are here to help you so do not hesitate to follow us.

View more