Do you need to add a user to a group? Do you want to ensure that certain groups only contain members that you specify? Group Policy Restricted Groups allow you to easily do both! If you are already using restricted groups, I have three tricks that will let you take group management to a new level. Read on!
Using Group Policy to Control Local Group Membership
In our first scenario, we want to explicitly control local group membership. We will populate the local administrator group with objects of our choosing. We will remove any user/group not in our selection by using the Members of this group feature of Restricted Groups.
Start by creating a new GPO named Restricted Groups: GROUP NAME (ex: Restricted Groups: Local Administrators). Edit the GPO and navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups. Under Group Name, right click and select Add Group.
Do not enter in a name as the group’s SID will not be recorded. Select browse instead.* Under Locations, change the value from your domain to your local machine. Search for Administrators and press OK. You should now see a new group named Administrators listed. Double click on that group and press the top Add button.
Browse but leave the search on your domain name. Search for Domain Admins and press OK. After you finish adding groups to the Administrators restricted group, you should see them listed under the members tab. When this GPO is applied to a computer, it will remove all members from the group specified. It will then add the members that you specified. In our example above, only domain administrators (and the built-in local administrator user) would be a member of the local administrators group.
Using Group Policy to Add/Modify Local Group Members
Let’s say that you have a local group that you want to modify. You don’t want to wipe out the local group members but still want to use Group Policy Restricted Groups. In this case, you will use the This group is a member of feature.
To start, create a new security group in Active Directory named: Restricted Groups: GROUP Name (ex: Restricted Groups: Remote Desktop Users). Populate this group with users/nested groups.
In your Restricted Groups GPO, add a new group. Select Browse and leave the location on your domain. Search for your domain security group. Open up your newly added restricted group. select the bottom Add button and change the location to your local machine. Type in the local group that this domain group should be added to.
In the screenshot above, our restricted group will be added to the local administrators group on any machine that this GPO applies to. Existing members in the local administrators group will not be altered. You can think of this as almost the preference version of Restricted Groups.
Three Tricks to Using Restricted Groups Effectively
Restricted Groups can be used to overwrite or to append local security groups. By understanding Group Policy Processing and linking, you can tweak Restricted Groups in three ways:
Use Restricted Groups to Control Domain Security Group Memberships
By using the Members of this group feature, you can control domain security group memberships. A classic example is to ensure that the domain administrators group (or other highly privilege group) is maintained with Group Policy. When you link a GPO that edits a domain security group, link it just to your domain controllers OU.
Use Restricted Groups for temporary memberships
When you use the Members of this group feature, users manually added to the group are automatically removed when the GPO is re-applied. You can use this to grant temporary memberships to local groups (for example, making a user a local administrator for a short duration).
First, use this group is a member of – then use Members of this group
If you unsure of local group memberships, avoid using the Members of this group feature on a broad scale. It will wipe out local group members and can potentially break applications/processes. Start by using the this group is a member of feature to modify local group membership. Once you are positive that replacing a group membership with members that you specify, switch your policy to Members of this group.
*Selecting browse prevents problems from occurring later if you rename the group.