Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 : Managing Active Directory with Policies (part 2) - Configuring Restricted Groups for Domain Security Groups

3/26/2011 6:59:16 PM

Configuring Restricted Groups for Domain Security Groups

A great feature of group policies that commonly goes unused is restricted groups. Restricted groups Group Policy settings allow an administrator to manage the membership of local groups on domain member servers and workstations. Restricted groups can also be leveraged to manage the membership of domain security groups when applied to the appropriate domain or the domain controllers organizational unit.

Note

Unless the impact is completely understood and desired, never link a group policy with restricted group settings to a domain or a site object because the settings will be inherited by all computers in the domain or site, including domain controllers and Active Directory security groups. If linking this policy to a domain or site is required, make sure to use security or WMI filtering to exclude domain controllers and any additional systems as required if Active Directory security groups should not be managed by the policy.


Restricted groups can be used to populate and control the members of a designated group, or they can be used to add members to a specific group. Using restricted groups requires a deep understanding of how the settings work and GPO modeling should always be used before linking a restricted group GPO to an Active Directory site, domain, or organizational unit. There are a few scenarios that Group Policy administrators and organizations commonly utilize restricted groups domain policies for and these scenarios include, but are not limited to, the following:

  • Define and restrict the membership of a local or domain security group by adding users or other groups using the members setting of restricted groups.

  • Add universal and global domain groups to local computer or local domain groups using the member of setting of restricted groups.

Of course, defining the membership of groups is still limited by the domain functional level when it comes to group nesting.

Controlling Group Membership Using Restricted Groups

Restricted groups can be used to control the membership of a group using the member setting, which is detailed next. When this setting is defined for a group, only the members added to this list will be a member of the group and any existing members will be removed when the policy is applied or refreshed. The only exception to this rule is when the local Administrator user account is a member of a member server Administrators local group or the Administrators domain security group. The same exception applies to managing the membership of domain groups, if the Administrator account in the domain is a member of the Administrators domain group, this account will remain even when a restricted group member setting is defined that does not include the Administrator account. This does not apply to any other security group that the Administrator account is a member of.

The restricted groups Administrator account exception was added as a fix with specific service pack revisions so if the computers in the organization are not up to date on supported operating systems and current service pack revisions, the administrator account can be removed by a restricted groups member policy. As a best practice, when the local or domain administrator account needs to be a member of a restricted group, do not count on the GPO to leave it in; instead, define it within the member policy setting. As an example of how to control membership of a local group on a member server or workstation using restricted groups, perform the following steps:

1.
Log on to a designated Windows Server 2008 R2 administrative server.

2.
Open the Group Policy Management Console from the Administrative Tools menu.

3.
Add the necessary domains to the GPMC as required.

4.
Expand the Domains node to reveal the Group Policy Objects container.

5.
Create a new GPO named NetCfgOpsRestrictedGroupGPO.

6.
Open the NetCfgOpsRestrictedGroupGPO policy for editing and in the Group Policy Management Editor, expand the Computer Configuration node, expand Policies, expand Windows Settings, expand the Security Settings node, and select Restricted Groups.

7.
In the tree pane, right-click the Restricted Groups node and select Add Group.

8.
When the Add Group window opens, do not browse; just type in Network Configuration Operators and click OK.

9.
When the Network Configuration Operators window opens, click the Add button in the Members of This Group section.

10.
When the Add Member window opens, type in the name of a user or group and click OK, or click the Browse button to locate and select users and/or groups, click OK, and click OK again. Domain accounts should be entered as domain\username and multiple entries should be separated by semicolons.

11.
After all the entries are added, click OK to finalize the settings, as shown in Figure 5.

Figure 5. Configuring members using restricted groups.


12.
Back in the Group Policy Management Editor window, close the GPO.

13.
In the GPMC, link the new NetCfgOpsRestrictedGroupGPO policy to an OU with a computer account that can be used to test this policy. Network Configuration Operators groups exist in Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7 systems.

14.
Log on to a system to which the policy applies with an account with administrative privileges and verify the membership of the group. If the policy has not yet been applied, run the gpdate.exe /force command in a Command Prompt window.

15.
Add additional users to the group and reapply the GPO by running the gpupdate.exe /force command in a Command Prompt window. Verify that the new users have been removed by the domain group policy.

16.
Log off of the workstation and log back on to the Windows Server 2008 R2 system. Link the GPO to the appropriate organizational unit to complete this task.

Using this function of restricted groups is not recommended for the Administrators local group on domain workstations or in Active Directory unless the organization is certain that no users have been added to allow for legacy application or other additional rights. For this example, the Network Configuration Operators group membership has been defined by the policy. This group has the rights to completely manage and configure network settings of the computer.

Modifying Group Membership Using Restricted Groups

When defining the membership of a group is not the desired change, the Restricted Groups Member of function can be used. This is a less-invasive method of updating or modifying group membership using domain policies. As an example, if an organization wants to add the COMPANYABC\IT domain security group to the local Administrators group of all computers in the HQ Workstations organizational unit, the following process can be followed:

1.
Create an OU called HQ Workstations and place all the necessary computer accounts into the OU.

2.
Create a new domain group policy called HQWorkstationsRestrictedGroupGPO and open it for editing.

3.
Click the Computer Configuration node, expand Policies, expand Windows Settings, expand Security Settings, and then select Restricted Groups. Add a group but do not specify the Administrators group; instead, specify the COMPANYABC\IT group.

4.
In the properties of the COMPANYABC\IT restricted group, click the Add button in the This Group Is a Member Of section. In the Add window, do not browse; simply type in Administrators and click OK. The properties of the group should appear, as shown in Figure 6.

Figure 6. Adding members to the local Administrators group using the Restricted Group Member of function.


5.
Click OK again to close the COMPANYABC\IT Restricted Group Properties window.

6.
Back in the Group Policy Management Editor window, close the GPO.

7.
In the Group Policy Management Console, link the new HQWorkstationsRestrictedGroupGPO policy to an OU with a computer account that can be used to test this policy.

8.
Log on to a system that the policy applies to using an account with Administrators group membership, and verify the membership of the local Administrators group, as shown in Figure 7.

Figure 7. Verify that the restricted groups policy has updated the local Administrators group membership.


9.
Log off of the workstation and log back on to the Windows Server 2008 R2 system. Link the GPO to the appropriate organizational unit.

Configuring restricted groups to manage domain groups can be performed using the same steps as previously outlined. The only difference is that the GPO will need to be linked to the Domain Controllers organizational unit, or the domain itself. Even if membership or member of configuration of a group is managed with restricted groups, it does not prevent users with the correct access from modifying the membership of these groups between Group Policy refresh cycles. To mitigate this, try to keep the membership of Administrators, Domain Admins, Account Operators, and Enterprise Admins in the domain to a minimum. On the local systems, try to keep the local Administrators group membership limited as well.

Other -----------------
- Windows Server 2008 R2 : Managing Users with Policies
- BizTalk 2010 Recipes : Document Schemas - Creating Flat File Schemas via the Wizard
- BizTalk 2010 Recipes : Document Schemas - Creating Flat File Schemas
- SharePoint 2010 : Testing the Three-State Workflow
- SharePoint 2010 : Reviewing the Workflow-Related Settings in Central Administration and Site Settings
- SharePoint 2010 : Defining Workflows in the Business Environment
- Exchange Server 2010 : Setting Up Public Folders (part 5) - Create and Configure a Public Folder
- Exchange Server 2010 : Setting Up Public Folders (part 4) - Create and Configure a Dynamic Distribution Group
- Exchange Server 2010 : Setting Up Public Folders (part 3)
- Exchange Server 2010 : Setting Up Public Folders (part 2) - Mail-Enable Public Folder & Configuring Public Folder Limits
- Exchange Server 2010 : Setting Up Public Folders (part 1) - Creating Public Folders & Configuring Public Folder Permissions
- Windows Server 2008 R2 : Managing Computers with Domain Policies (part 7)
- Windows Server 2008 R2 : Managing Computers with Domain Policies (part 6)
- Windows Server 2008 R2 : Managing Computers with Domain Policies (part 5)
- Windows Server 2008 R2 : Managing Computers with Domain Policies (part 4) - Deploying Printers
- Windows Server 2008 R2 : Managing Computers with Domain Policies (part 3) - Creating Application Control Policies
- Windows Server 2008 R2 : Managing Computers with Domain Policies (part 2) - Creating a Software Restriction Policy
- Windows Server 2008 R2 : Managing Computers with Domain Policies (part 1)
- BizTalk 2010 Recipes : Document Schemas - Defining Regular Expressions
- BizTalk 2010 Recipes : Creating Complex Types
 
 
Most view of day
- Managing Windows Small Business Server 2011 : Adding a Terminal Server (part 3) - Configuring RD Licensing
- Working with the User State Migration Tool (part 1) - Using the USMT in Four Deployment Scenarios
- Sharepoint 2013 : Backup and Restore (part 6) - Farm Backup and Restore - Performing a Restore, Using PowerShell
- Windows Server 2012 Administration : Configuring Sites (part 2) - Creating a Site - Adding Domain Controllers to Sites
- Microsoft Project 2010 : Linking Tasks (part 3) - Using the Start-to-Start Relationship,Using the Finish-to-Finish Relationship
- Designing and Configuring Unified Messaging in Exchange Server 2007 : Monitoring and Troubleshooting Unified Messaging (part 1) - Active Calls , Connectivity
- Microsoft Visio 2010 : Creating and Using Shape Data Fields (part 5) - Shape Data Labels versus Names
- Windows Server 2012 Administration : Managing Printers with the Print Management Console (part 2) - Adding New Printers as Network Shared Resources
- Microsoft Excel 2010 : Calculating the Median
- Windows Server 2012 : File Services and Storage - Configuring iSCSI storage (part 1) - Understanding iSCSI storage
Top 10
- Windows Server 2012 : Configuring IPsec (part 7) - Configuring connection security rules - Monitoring IPsec
- Windows Server 2012 : Configuring IPsec (part 6) - Configuring connection security rules - Creating a custom rule, Configuring authenticated bypass
- Windows Server 2012 : Configuring IPsec (part 5) - Configuring connection security rules - Creating an authentication exemption rule, Creating a server-to-server rule, Creating a tunnel rule
- Windows Server 2012 : Configuring IPsec (part 4) - Configuring connection security rules - Types of connection security rules, Creating an isolation rule
- Windows Server 2012 : Configuring IPsec (part 3) - Configuring IPsec settings - Customizing IPsec tunnel authorizations, Configuring IPsec settings using Windows PowerShell
- Windows Server 2012 : Configuring IPsec (part 2) - Configuring IPsec settings - Customizing IPsec defaults
- Windows Server 2012 : Configuring IPsec (part 1) - Understanding connection security
- Microsoft Project 2010 : Linking Tasks (part 8) - Auditing Task Links,Using the Task Inspector
- Microsoft Project 2010 : Linking Tasks (part 7) - Creating Links by Using the Mouse,Working with Automatic Linking Options
- Microsoft Project 2010 : Linking Tasks (part 6) - Creating Links by Using the Entry Table
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro