Windows Tip Sheet

Are You Restrictive with Your Groups?

The miracle of Group Policy is that you can maintain tight reins on who has admin rights.

Have you ever popped open the local Administrators group on a user's computer and wondered how all those user accounts got in there? Making one user a local Administrator is opening a door: That user can then add whoever he wants to the group, because, well, he's the Administrator. Wouldn't it be nice if you could somehow lock the group down, so that you could make a user a local Admin if needed, but prevent them from offering the same benefits to another user? You can, if you restrict group membership.

The miracle of Group Policy gives you a centralized means of controlling group membership. Pop open any Group Policy object (GPO) you've got handy, and navigate to Computer configuration > Windows Settings > Restricted Groups (you should find this in any Active Directory domain, 2000 and later). Right-click the Restricted Groups folder and select Add Group from the context menu. Select the group you want to restrict and then decide who gets to belong.

Controlling Group Membership
Restricting group membership via GPOs.

Quick tip: By eliminating all groups from the membership, you'll ensure that nobody is a member. Use caution, especially when playing with the built-in Administrators group.

Because this configuration is deployed through a GPO, you can apply different Restricted Groups configurations to different sites, OUs, or domains. For example, you might plunk your developers into one OU if you need to add them (via a group membership) to the local Administrators group on their machines. Modifying these groups through GPO is a lot more efficient than running around and doing it manually on a per-machine basis.

Restricted Groups can control any group on a computer, not just built-in groups like Administrators. If you've deployed your own local user groups for a specific application or other purpose, you can centrally lock down group membership right through a GPO. Keep in mind that Restricted Groups isn't additive; it's not "whatever's listed in the GPO plus whoever else gets added." What you list in the Restricted Groups section of the GPO is the sum total of groups' membership. In other words, you can use Restricted Groups to make a user an Admin and prevent that user from making anyone else an Admin.

Best practice: Put users into domain groups, and assign the domain groups to local groups by using Restricted Groups in a GPO (you come up with a sentence that uses the word "group" more times than that). Following this practice, you'll only have to modify your GPOs occasionally, and you can control all permissions using domain groups. Name those domain groups something that helps indicate their role in controlling local group membership: local_Administrators or local_PowerUsers, for example, makes it easier to tell that the members of those domain groups will wind up in the corresponding local groups.

Micro Tip Sheet

Have you set up the perfect GPO and need to replicate it to another, standalone domain? You can. GPO files are stored in %systemroot%\SYSVOL\sysvol\domain\Policies\GUID, where GUID is the unique identifier for the GPO itself. You can run Gpotool.exe to find out each GPO's name and corresponding GUID, or just examine the properties of the GPO itself in the Group Policy Management Console (GPMC). In the target domain, create a new GPO and delete the contents of its GPO folder. Copy the appropriate GPO folder contents from the source domain to the new (and now empty) GPO folder in the destination domain. Shazam.

Here's a cool GPO: Computer Configuration > Administrative Templates > System > Logon. The policy setting is "Delete cached copies of roaming profiles" and if you enable it, clients will automatically wipe out their local copy of a roaming profile at logoff. This is a useful security measure, although it obviously removes the ability to use that cached profile on, say, a laptop that sometimes isn't connected to the domain. On Windows XP, this policy setting is in Computer Configuration > Administrative Templates > System > User Profiles.

More Resources
Restricted Groups' functionality was updated in Windows 2000 SP4:

Microsoft's docs on Restricted Groups:
resources/documentation/ WindowsServ/2003/standard/proddocs/

The Land of All Answers to GPO Questions:

Accounts specified in Restricted Groups which are later deleted will cause unresolvable SIDs, and event log errors on your DCs:

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Fri, Jan 9, 2009 Anonymous Anonymous


Thu, Nov 17, 2005 Anonymous Anonymous

Wed, Jul 14, 2004 Charlie Anonymous

Thanks for making more people aware of this important feature of AD.
Restricted Groups is probably the last piece to the puzzle of giving resource domain admins the same sort of permissions that they are used to having across the domain, once the computers in their domain are migrated to an AD OU. Realistically, the way to do this is through "reverse" restricted groups, where a particular global group can be designated as a restricted group which contains only certain members AND is assigned as a member of the local Administrators Group on each machine in the OU. It's important to be aware of this because in most environments you won't be able to limit the local Administrators Group too much, but this option will still allow you to give Admin rights across an OU to the people who need it. Note that there was a bug which prevented the "reverse" Restricted Groups from working, but it is fixed in W2K SP4 and WXP SP2.
Bob Fuller is correct that the policy is applied at the computer level, which means that you wouldn't be able to "plunk your developers into one OU if you need to add them". You would have to add their computers to an OU; no big deal. However, Don mentions "you could make a user a local Admin if needed", which as Bob correctly states would require a different OU for each computer.

Wed, Jul 14, 2004 Bob Fuller Arizona

If I'm not mistaken, while the Restricted groups GPO will enforce membership when the policy applies, you cannot prevent one administrator from adding the the restricted group. The group membership contents will revert at the next computer policy refres, but up till that point, membership changes are honored.

Additionally, I do believe the policy is enforced to computer objects rather than user objects, which often becomes difficult to to apply in limited form. In order to grant administrative privilege to a single computer to a specific user, that computer must be placed in it's own OU.

Wed, Jul 14, 2004 Anonymous Anonymous

By doing this, you allow anyone who is a member of the group to log on with administrative access to any machine that has this group in the local Administrators group. Or, worse yet, they can remotely access and/or manage the machine. That has led to problems for us in the past, since we can't trust our users very far. As a result we're stuck managing the local Administrators groups manually, adding users rather than groups.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.