Windows Tip Sheet
Are You Restrictive with Your Groups?
The miracle of Group Policy is that you can maintain tight reins on who has admin rights.
Have you ever popped open the local Administrators group on a user's
computer and wondered how all those user accounts got in there? Making
one user a local Administrator is opening a door: That user can then add
whoever he wants to the group, because, well, he's the Administrator.
Wouldn't it be nice if you could somehow lock the group down, so that
you could make a user a local Admin if needed, but prevent them from offering
the same benefits to another user? You can, if you restrict group membership.
The miracle of Group Policy gives you a centralized means of controlling
group membership. Pop open any Group Policy object (GPO) you've got handy,
and navigate to Computer configuration > Windows Settings > Restricted
Groups (you should find this in any Active Directory domain, 2000 and
later). Right-click the Restricted Groups folder and select Add Group
from the context menu. Select the group you want to restrict and then
decide who gets to belong.
Restricting group membership via GPOs.
Quick tip: By eliminating all groups from the membership, you'll
ensure that nobody is a member. Use caution, especially when playing
with the built-in Administrators group.
Because this configuration is deployed through a GPO, you can apply different
Restricted Groups configurations to different sites, OUs, or domains.
For example, you might plunk your developers into one OU if you need to
add them (via a group membership) to the local Administrators group on
their machines. Modifying these groups through GPO is a lot more efficient
than running around and doing it manually on a per-machine basis.
Restricted Groups can control any group on a computer, not just built-in
groups like Administrators. If you've deployed your own local user groups
for a specific application or other purpose, you can centrally lock down
group membership right through a GPO. Keep in mind that Restricted Groups
isn't additive; it's not "whatever's listed in the GPO plus whoever
else gets added." What you list in the Restricted Groups section
of the GPO is the sum total of groups' membership. In other words, you
can use Restricted Groups to make a user an Admin and prevent that
user from making anyone else an Admin.
Best practice: Put users into domain groups, and assign the domain
groups to local groups by using Restricted Groups in a GPO (you come up
with a sentence that uses the word "group" more times than that).
Following this practice, you'll only have to modify your GPOs occasionally,
and you can control all permissions using domain groups. Name those domain
groups something that helps indicate their role in controlling local group
membership: local_Administrators or local_PowerUsers, for example, makes
it easier to tell that the members of those domain groups will wind up
in the corresponding local groups.
Have you set up the perfect GPO and need to replicate
it to another, standalone domain? You can. GPO files
are stored in %systemroot%\SYSVOL\sysvol\domain\Policies\GUID,
where GUID is the unique identifier for the GPO itself.
You can run Gpotool.exe to find out each GPO's name
and corresponding GUID, or just examine the properties
of the GPO itself in the Group Policy Management Console
(GPMC). In the target domain, create a new GPO and delete
the contents of its GPO folder. Copy the appropriate
GPO folder contents from the source domain to the new
(and now empty) GPO folder in the destination domain.
Here's a cool GPO: Computer Configuration > Administrative
Templates > System > Logon. The policy setting
is "Delete cached copies of roaming profiles"
and if you enable it, clients will automatically wipe
out their local copy of a roaming profile at logoff.
This is a useful security measure, although it obviously
removes the ability to use that cached profile on, say,
a laptop that sometimes isn't connected to the domain.
On Windows XP, this policy setting is in Computer Configuration
> Administrative Templates > System > User
Restricted Groups' functionality was updated in Windows 2000 SP4: http://support.microsoft.com/default.aspx?kbid=810076
Microsoft's docs on Restricted Groups: http://www.microsoft.com/resources/documentation/
The Land of All Answers to GPO Questions: www.gpoanswers.com
Accounts specified in Restricted Groups which are later deleted will
cause unresolvable SIDs, and event log errors on your DCs: http://windows.ittoolbox.com/groups/groups.asp?v=activedirectory-l&i=476177
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.