How-to: Using Restricted Groups

Sep 09

G JohanssonActive Directory, GPO , 3 Comments

There are a lot of questions in newsgroups, forums etc. about how to use Restricted Groups in the right way so I wanted to post a how-to for people to read.

Finding Restricted Groups is easy but it only works in a domain with Active Directory so trying to find it within your local GPO on your computer isn’t possible.
Restricted Groups

At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.
Restricted Groups2

Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps.

1. “Members of this group”

This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers.

As an example can be this picture where you have both the local administrator account and also the built-in Authenticated Users group.
Restricted Groups3

2. “This group is a member of”

This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice.

So this example which you can see in this picture will add the “Power Users group” into the “Administrators group”.
Restricted Groups4

To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.


Technorati Tags: ,
  • Share/Bookmark

3 Comments (+add yours?)

  1. Clive Watkinson UNITED KINGDOM Windows Server 2003 Internet Explorer 7.0
    Mar 07, 2008 @ 17:05:18

    I can’t make the restricted GPO work.

    This is what I’ve done :-

    1 Opened Domain machine – GPO

    2 Greated new GPO called “Local Administrators”

    3 Created a new restricted user policy

    4 In the top box (members) I have put the users that I want in the form domainname/userid

    5 I don’t know what to put in the bottom box, so far I have tried Domain/Administrators, Administrators, Domain/Local Administrators.

    In Each case, nothing happens.

    Any Ideas – especially about what specifically to put in the lower box.

    Cheers

  2. jbone UNITED STATES Windows XP Internet Explorer 7.0
    Sep 26, 2008 @ 23:21:51

    try builtin\administrators

Leave a Reply