Do you need to add a user to a group? Do you want to ensure that certain groups only contain members that you specify? Group Policy Restricted Groups allow you to easily do both! If you are already using restricted groups, I have three tricks that will let you take group management to a new level. Read on!
Using Group Policy to Control Local Group Membership
In our first scenario, we want to explicitly control local group membership. We will populate the local administrator group with objects of our choosing. We will remove any user/group not in our selection by using the Members of this group feature of Restricted Groups.
Start by creating a new GPO named Restricted Groups: GROUP NAME (ex: Restricted Groups: Local Administrators). Edit the GPO and navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups. Under Group Name, right click and select Add Group.
Do not enter in a name as the group’s SID will not be recorded. Select browse instead.* Under Locations, change the value from your domain to your local machine. Search for Administrators and press OK. You should now see a new group named Administrators listed. Double click on that group and press the top Add button.
Browse but leave the search on your domain name. Search for Domain Admins and press OK. After you finish adding groups to the Administrators restricted group, you should see them listed under the members tab. When this GPO is applied to a computer, it will remove all members from the group specified. It will then add the members that you specified. In our example above, only domain administrators (and the built-in local administrator user) would be a member of the local administrators group.