How-to: Using Restricted Groups


There are a lot of questions in newsgroups, forums etc. about how to use Restricted Groups in the right way so I wanted to post a how-to for people to read.

Finding Restricted Groups is easy but it only works in a domain with Active Directory so trying to find it within your local GPO on your computer isn’t possible.
Restricted Groups

At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.
Restricted Groups2

Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps.

1. “Members of this group”

This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers.

As an example can be this picture where you have both the local administrator account and also the built-in Authenticated Users group.
Restricted Groups3

2. “This group is a member of”

This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice.

So this example which you can see in this picture will add the “Power Users group” into the “Administrators group”.
Restricted Groups4

To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.

Technorati Tags: ,

Wireless Network Policy

Comments Off

Depending on which system you use you have some different options if you want to configure wireless policys using Group Policy.

Windows Vista and Windows Server 2008: These has it as default that you can configure wireless policys using GPO so nothing needs to be done.

Windows 2003: Depending on which level of servicepack you have installed you might need to install “Wi-Fi Protected Access (WPA) support for Wireless Network (IEEE 802.11) Policies is available for Windows Server 2003″. Note that this will not let you configure WPA2 wireless policys. You will need Windows Vista och Windows Server 2008 for that.

Windows XP: First requirement is that you need to have Windows Server 2003 AD Schema in your AD. Second requirement is that you need atleast SP1 for XP.
From you Windows 2003 server (located at C:\Windows\System32) copy the files wlsnp.dll, wlstore.dll and ws03res.dll. Then register wlsnp.dll using “regsvr32 wlsnp.dll”.
Now this has registrered a new snap-in for Wireless Network Policy.
Side-note: For Windows XP to be able to process WPA2 policys you will need to install “Update for Windows XP (KB917021)”

Windows 2000: Sorry, no can do…

Technorati Tags: , , , , , , ,

Where do I find GPMC in Windows 2008

1 Comment

When you install Windows 2008 and promote it to a Domain Controller, GPMC isn’t in your Administrative Tools.

In Windows 2008 everything is divided into Roles and Features. Roles are major “changes” to a server, for example Domain Controller, Terminal Server etc. Features is more or less “Add/Remove Windows components” which we have had in the past but of course with some more things.

One of these “more things” is the GPMC which you need to add manually using the Server Manager: Add Features.
Add features GPMC Windows 2008

After GPMC has been installed you can find it as normal in the Administrative Tools.
GPMC visible in Administrative Tools

Technorati Tags: , ,

Fine-Grained Password Policy


As my first post in my new blog I’m not going to write something myself.
I will just link to another post written by Christoffer Andersson who has created a tool for admin a new function “Fine-Grained Password Policies” introduced in Windows Server 2008.

This tool is still at Beta so if you can please help him out trying the tool, I know I will.

See his post here:

Technorati Tags: , , ,