Do you need to add a user to a group? Do you want to ensure that certain groups only contain members that you specify? Group Policy Restricted Groups allow you to easily do both! If you are already using restricted groups, I have three tricks that will let you take group management to a new level. Read on!
Using Group Policy to Control Local Group Membership
In our first scenario, we want to explicitly control local group membership. We will populate the local administrator group with objects of our choosing. We will remove any user/group not in our selection by using the Members of this group feature of Restricted Groups.
Start by creating a new GPO named Restricted Groups: GROUP NAME (ex: Restricted Groups: Local Administrators). Edit the GPO and navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups. Under Group Name, right click and select Add Group.
Do not enter in a name as the group’s SID will not be recorded. Select browse instead.* Under Locations, change the value from your domain to your local machine. Search for Administrators and press OK. You should now see a new group named Administrators listed. Double click on that group and press the top Add button.
Browse but leave the search on your domain name. Search for Domain Admins and press OK. After you finish adding groups to the Administrators restricted group, you should see them listed under the members tab. When this GPO is applied to a computer, it will remove all members from the group specified. It will then add the members that you specified. In our example above, only domain administrators (and the built-in local administrator user) would be a member of the local administrators group.
Using Group Policy to Add/Modify Local Group Members
Let’s say that you have a local group that you want to modify. You don’t want to wipe out the local group members but still want to use Group Policy Restricted Groups. In this case, you will use the This group is a member of feature.
To start, create a new security group in Active Directory named: Restricted Groups: GROUP Name (ex: Restricted Groups: Remote Desktop Users). Populate this group with users/nested groups.
In your Restricted Groups GPO, add a new group. Select Browse and leave the location on your domain. Search for your domain security group. Open up your newly added restricted group. select the bottom Add button and change the location to your local machine. Type in the local group that this domain group should be added to.
In the screenshot above, our restricted group will be added to the local administrators group on any machine that this GPO applies to. Existing members in the local administrators group will not be altered. You can think of this as almost the preference version of Restricted Groups.
Three Tricks to Using Restricted Groups Effectively
Restricted Groups can be used to overwrite or to append local security groups. By understanding Group Policy Processing and linking, you can tweak Restricted Groups in three ways:
Use Restricted Groups to Control Domain Security Group Memberships
By using the Members of this group feature, you can control domain security group memberships. A classic example is to ensure that the domain administrators group (or other highly privilege group) is maintained with Group Policy. When you link a GPO that edits a domain security group, link it just to your domain controllers OU.
Use Restricted Groups for temporary memberships
When you use the Members of this group feature, users manually added to the group are automatically removed when the GPO is re-applied. You can use this to grant temporary memberships to local groups (for example, making a user a local administrator for a short duration).
First, use this group is a member of – then use Members of this group
If you unsure of local group memberships, avoid using the Members of this group feature on a broad scale. It will wipe out local group members and can potentially break applications/processes. Start by using the this group is a member of feature to modify local group membership. Once you are positive that replacing a group membership with members that you specify, switch your policy to Members of this group.
You can create a report of local group members by using this PowerShell script.
*Selecting browse prevents problems from occurring later if you rename the group.
Hi,
I found this article while was researching on Restricted Groups in GPO vs Users and Groups in GPP.
In our environment both are being used and I wonder if there is any guidance on what takes precedence. We have an OU with few dozen of servers and built-in Administrators group is populated with some AD users and groups. Also GPP adds some AD users and groups in computer configuration section. That worked fine until we added few more servers to the same OU. Surprisingly AD users and groups listed in GPP are not being added to the Administrators group, while Restricted Groups in GPO works. I was able to add AD groups using “This group is a member of section” (thank you for that tip), however I do not understand why it is not working with GPP. The only difference I see that the new servers are Win 2019 Standart while others are Datacenter. That should not make any difference as there is no any security or WMI filtering. Gpresult shows that GPP works but in fact not on the new servers. I would appreciate if you can point me to the right direction.
Rlly good, thanks
Hi Joseph. In the early years, I used RG settings for local users and groups. But nowadays, I switched to GPP Local Users and Groups. Why?
It allows me to put a user into local admins ONLY and ONLY AS LONG as he is logged on to a computer. This is especially useful in terms of disabling remote access to workstation computers where other users are currently working on – use the “user configuration” for that, and first, empty out local admins, then add as required based on whatever filtering you need. This even allows easy assignment of users to selected workstations where they should be admin – create a domain group named “WS01-Admins”, “WS02-Admins” and so on, then do ILT for “User is a Member of %Computername%-Admins”. Get the picture? 🙂
regards, Martin
Interesting idea Martin! I will certainly be checking that out – seems like it allows a lot more granular control without administrative overhead.