Windows Tip Sheet

Are You Restrictive with Your Groups?

The miracle of Group Policy is that you can maintain tight reins on who has admin rights.

Have you ever popped open the local Administrators group on a user's computer and wondered how all those user accounts got in there? Making one user a local Administrator is opening a door: That user can then add whoever he wants to the group, because, well, he's the Administrator. Wouldn't it be nice if you could somehow lock the group down, so that you could make a user a local Admin if needed, but prevent them from offering the same benefits to another user? You can, if you restrict group membership.

The miracle of Group Policy gives you a centralized means of controlling group membership. Pop open any Group Policy object (GPO) you've got handy, and navigate to Computer configuration > Windows Settings > Restricted Groups (you should find this in any Active Directory domain, 2000 and later). Right-click the Restricted Groups folder and select Add Group from the context menu. Select the group you want to restrict and then decide who gets to belong.

Controlling Group Membership
Restricting group membership via GPOs.

Quick tip: By eliminating all groups from the membership, you'll ensure that nobody is a member. Use caution, especially when playing with the built-in Administrators group.

Because this configuration is deployed through a GPO, you can apply different Restricted Groups configurations to different sites, OUs, or domains. For example, you might plunk your developers into one OU if you need to add them (via a group membership) to the local Administrators group on their machines. Modifying these groups through GPO is a lot more efficient than running around and doing it manually on a per-machine basis.

Restricted Groups can control any group on a computer, not just built-in groups like Administrators. If you've deployed your own local user groups for a specific application or other purpose, you can centrally lock down group membership right through a GPO. Keep in mind that Restricted Groups isn't additive; it's not "whatever's listed in the GPO plus whoever else gets added." What you list in the Restricted Groups section of the GPO is the sum total of groups' membership. In other words, you can use Restricted Groups to make a user an Admin and prevent that user from making anyone else an Admin.

Best practice: Put users into domain groups, and assign the domain groups to local groups by using Restricted Groups in a GPO (you come up with a sentence that uses the word "group" more times than that). Following this practice, you'll only have to modify your GPOs occasionally, and you can control all permissions using domain groups. Name those domain groups something that helps indicate their role in controlling local group membership: local_Administrators or local_PowerUsers, for example, makes it easier to tell that the members of those domain groups will wind up in the corresponding local groups.

Micro Tip Sheet

Have you set up the perfect GPO and need to replicate it to another, standalone domain? You can. GPO files are stored in %systemroot%\SYSVOL\sysvol\domain\Policies\GUID, where GUID is the unique identifier for the GPO itself. You can run Gpotool.exe to find out each GPO's name and corresponding GUID, or just examine the properties of the GPO itself in the Group Policy Management Console (GPMC). In the target domain, create a new GPO and delete the contents of its GPO folder. Copy the appropriate GPO folder contents from the source domain to the new (and now empty) GPO folder in the destination domain. Shazam.

Here's a cool GPO: Computer Configuration > Administrative Templates > System > Logon. The policy setting is "Delete cached copies of roaming profiles" and if you enable it, clients will automatically wipe out their local copy of a roaming profile at logoff. This is a useful security measure, although it obviously removes the ability to use that cached profile on, say, a laptop that sometimes isn't connected to the domain. On Windows XP, this policy setting is in Computer Configuration > Administrative Templates > System > User Profiles.

More Resources
Restricted Groups' functionality was updated in Windows 2000 SP4:

Microsoft's docs on Restricted Groups:
resources/documentation/ WindowsServ/2003/standard/proddocs/

The Land of All Answers to GPO Questions:

Accounts specified in Restricted Groups which are later deleted will cause unresolvable SIDs, and event log errors on your DCs:

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus
Upcoming Events

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.