Configuring Restricted Groups for Domain Security Groups
A great feature of group policies that commonly goes unused is restricted groups. Restricted groups Group Policy settings allow an administrator to manage the membership of local groups on domain member servers and workstations. Restricted groups can also be leveraged to manage the membership of domain security groups when applied to the appropriate domain or the domain controllers organizational unit.
NOTE: Unless the impact is completely understood and desired, never link a group policy with restricted group settings to a domain or a site object because the settings will be inherited by all computers in the domain or site, including domain controllers and Active Directory security groups. If linking this policy to a domain or site is required, make sure to use security or WMI filtering to exclude domain controllers and any additional systems as required if Active Directory security groups should not be managed by the policy.
Restricted groups can be used to populate and control the members of a designated group, or they can be used to add members to a specific group. Using restricted groups requires a deep understanding of how the settings work and GPO modeling should always be used before linking a restricted group GPO to an Active Directory site, domain, or organizational unit. There are a few scenarios that Group Policy administrators and organizations commonly utilize restricted groups domain policies for and these scenarios include, but are not limited to, the following:
- Define and restrict the membership of a local or domain security group by adding users or other groups using the members setting of restricted groups.
- Add universal and global domain groups to local computer or local domain groups using the member of setting of restricted groups.
Of course, defining the membership of groups is still limited by the domain functional level when it comes to group nesting.
Controlling Group Membership Using Restricted Groups
Restricted groups can be used to control the membership of a group using the member setting, which is detailed next. When this setting is defined for a group, only the members added to this list will be a member of the group and any existing members will be removed when the policy is applied or refreshed. The only exception to this rule is when the local Administrator user account is a member of a member server Administrators local group or the Administrators domain security group. The same exception applies to managing the membership of domain groups, if the Administrator account in the domain is a member of the Administrators domain group, this account will remain even when a restricted group member setting is defined that does not include the Administrator account. This does not apply to any other security group that the Administrator account is a member of.
The restricted groups Administrator account exception was added as a fix with specific service pack revisions so if the computers in the organization are not up to date on supported operating systems and current service pack revisions, the administrator account can be removed by a restricted groups member policy. As a best practice, when the local or domain administrator account needs to be a member of a restricted group, do not count on the GPO to leave it in; instead, define it within the member policy setting. As an example of how to control membership of a local group on a member server or workstation using restricted groups, perform the following steps:
- Log on to a designated Windows Server 2008 R2 administrative server.
- Open the Group Policy Management Console from the Administrative Tools menu.
- Add the necessary domains to the GPMC as required.
- Expand the Domains node to reveal the Group Policy Objects container.
- Create a new GPO named NetCfgOpsRestrictedGroupGPO.
- Open the NetCfgOpsRestrictedGroupGPO policy for editing and in the Group Policy Management Editor, expand the Computer Configuration node, expand Policies, expand Windows Settings, expand the Security Settings node, and select Restricted Groups.
- In the tree pane, right-click the Restricted Groups node and select Add Group.
- When the Add Group window opens, do not browse; just type in Network Configuration Operators and click OK.
- When the Network Configuration Operators window opens, click the Add button in the Members of This Group section.
- When the Add Member window opens, type in the name of a user or group and click OK, or click the Browse button to locate and select users and/or groups, click OK, and click OK again. Domain accounts should be entered as domain\username and multiple entries should be separated by semicolons.
- After all the entries are added, click OK to finalize the settings.
- Back in the Group Policy Management Editor window, close the GPO.
- In the GPMC, link the new NetCfgOpsRestrictedGroupGPO policy to an OU with a computer account that can be used to test this policy. Network Configuration Operators groups exist in Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7 systems.
- Log on to a system to which the policy applies with an account with administrative privileges and verify the membership of the group. If the policy has not yet been applied, run the gpdate.exe /force command in a Command Prompt window.
- Add additional users to the group and reapply the GPO by running the gpupdate.exe /force command in a Command Prompt window. Verify that the new users have been removed by the domain group policy.
- Log off of the workstation and log back on to the Windows Server 2008 R2 system. Link the GPO to the appropriate organizational unit to complete this task.
Using this function of restricted groups is not recommended for the Administrators local group on domain workstations or in Active Directory unless the organization is certain that no users have been added to allow for legacy application or other additional rights. For this example, the Network Configuration Operators group membership has been defined by the policy. This group has the rights to completely manage and configure network settings of the computer.
Modifying Group Membership Using Restricted Groups
When defining the membership of a group is not the desired change, the Restricted Groups Member of function can be used. This is a less-invasive method of updating or modifying group membership using domain policies. As an example, if an organization wants to add the COMPANYABC\IT domain security group to the local Administrators group of all computers in the HQ Workstations organizational unit, the following process can be followed:
- Create an OU called HQ Workstations and place all the necessary computer accounts into the OU.
- Create a new domain group policy called HQWorkstationsRestrictedGroupGPO and open it for editing.
- Click the Computer Configuration node, expand Policies, expand Windows Settings, expand Security Settings, and then select Restricted Groups. Add a group but do not specify the Administrators group; instead, specify the COMPANYABC\IT group.
- In the properties of the COMPANYABC\IT restricted group, click the Add button in the This Group Is a Member Of section. In the Add window, do not browse; simply type in Administrators and click OK. The properties of the group should appear.
- Click OK again to close the COMPANYABC\IT Restricted Group Properties window.
- Back in the Group Policy Management Editor window, close the GPO.
- In the Group Policy Management Console, link the new HQWorkstationsRestrictedGroupGPO policy to an OU with a computer account that can be used to test this policy.
- Log on to a system that the policy applies to using an account with Administrators group membership, and verify the membership of the local Administrators group.
- Log off of the workstation and log back on to the Windows Server 2008 R2 system. Link the GPO to the appropriate organizational unit.
Configuring restricted groups to manage domain groups can be performed using the same steps as previously outlined. The only difference is that the GPO will need to be linked to the Domain Controllers organizational unit, or the domain itself. Even if membership or member of configuration of a group is managed with restricted groups, it does not prevent users with the correct access from modifying the membership of these groups between Group Policy refresh cycles. To mitigate this, try to keep the membership of Administrators, Domain Admins, Account Operators, and Enterprise Admins in the domain to a minimum. On the local systems, try to keep the local Administrators group membership limited as well.
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations