Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Server

Windows Server 2008 R2 : Managing Active Directory with Policies (part 2) - Configuring Restricted Groups for Domain Security Groups

3/26/2011 6:59:16 PM

Configuring Restricted Groups for Domain Security Groups

A great feature of group policies that commonly goes unused is restricted groups. Restricted groups Group Policy settings allow an administrator to manage the membership of local groups on domain member servers and workstations. Restricted groups can also be leveraged to manage the membership of domain security groups when applied to the appropriate domain or the domain controllers organizational unit.

Note

Unless the impact is completely understood and desired, never link a group policy with restricted group settings to a domain or a site object because the settings will be inherited by all computers in the domain or site, including domain controllers and Active Directory security groups. If linking this policy to a domain or site is required, make sure to use security or WMI filtering to exclude domain controllers and any additional systems as required if Active Directory security groups should not be managed by the policy.


Restricted groups can be used to populate and control the members of a designated group, or they can be used to add members to a specific group. Using restricted groups requires a deep understanding of how the settings work and GPO modeling should always be used before linking a restricted group GPO to an Active Directory site, domain, or organizational unit. There are a few scenarios that Group Policy administrators and organizations commonly utilize restricted groups domain policies for and these scenarios include, but are not limited to, the following:

  • Define and restrict the membership of a local or domain security group by adding users or other groups using the members setting of restricted groups.

  • Add universal and global domain groups to local computer or local domain groups using the member of setting of restricted groups.

Of course, defining the membership of groups is still limited by the domain functional level when it comes to group nesting.

Controlling Group Membership Using Restricted Groups

Restricted groups can be used to control the membership of a group using the member setting, which is detailed next. When this setting is defined for a group, only the members added to this list will be a member of the group and any existing members will be removed when the policy is applied or refreshed. The only exception to this rule is when the local Administrator user account is a member of a member server Administrators local group or the Administrators domain security group. The same exception applies to managing the membership of domain groups, if the Administrator account in the domain is a member of the Administrators domain group, this account will remain even when a restricted group member setting is defined that does not include the Administrator account. This does not apply to any other security group that the Administrator account is a member of.

The restricted groups Administrator account exception was added as a fix with specific service pack revisions so if the computers in the organization are not up to date on supported operating systems and current service pack revisions, the administrator account can be removed by a restricted groups member policy. As a best practice, when the local or domain administrator account needs to be a member of a restricted group, do not count on the GPO to leave it in; instead, define it within the member policy setting. As an example of how to control membership of a local group on a member server or workstation using restricted groups, perform the following steps:

1.
Log on to a designated Windows Server 2008 R2 administrative server.

2.
Open the Group Policy Management Console from the Administrative Tools menu.

3.
Add the necessary domains to the GPMC as required.

4.
Expand the Domains node to reveal the Group Policy Objects container.

5.
Create a new GPO named NetCfgOpsRestrictedGroupGPO.

6.
Open the NetCfgOpsRestrictedGroupGPO policy for editing and in the Group Policy Management Editor, expand the Computer Configuration node, expand Policies, expand Windows Settings, expand the Security Settings node, and select Restricted Groups.

7.
In the tree pane, right-click the Restricted Groups node and select Add Group.

8.
When the Add Group window opens, do not browse; just type in Network Configuration Operators and click OK.

9.
When the Network Configuration Operators window opens, click the Add button in the Members of This Group section.

10.
When the Add Member window opens, type in the name of a user or group and click OK, or click the Browse button to locate and select users and/or groups, click OK, and click OK again. Domain accounts should be entered as domain\username and multiple entries should be separated by semicolons.

11.
After all the entries are added, click OK to finalize the settings, as shown in Figure 5.

Figure 5. Configuring members using restricted groups.


12.
Back in the Group Policy Management Editor window, close the GPO.

13.
In the GPMC, link the new NetCfgOpsRestrictedGroupGPO policy to an OU with a computer account that can be used to test this policy. Network Configuration Operators groups exist in Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7 systems.

14.
Log on to a system to which the policy applies with an account with administrative privileges and verify the membership of the group. If the policy has not yet been applied, run the gpdate.exe /force command in a Command Prompt window.

15.
Add additional users to the group and reapply the GPO by running the gpupdate.exe /force command in a Command Prompt window. Verify that the new users have been removed by the domain group policy.

16.
Log off of the workstation and log back on to the Windows Server 2008 R2 system. Link the GPO to the appropriate organizational unit to complete this task.

Using this function of restricted groups is not recommended for the Administrators local group on domain workstations or in Active Directory unless the organization is certain that no users have been added to allow for legacy application or other additional rights. For this example, the Network Configuration Operators group membership has been defined by the policy. This group has the rights to completely manage and configure network settings of the computer.

Modifying Group Membership Using Restricted Groups

When defining the membership of a group is not the desired change, the Restricted Groups Member of function can be used. This is a less-invasive method of updating or modifying group membership using domain policies. As an example, if an organization wants to add the COMPANYABC\IT domain security group to the local Administrators group of all computers in the HQ Workstations organizational unit, the following process can be followed:

1.
Create an OU called HQ Workstations and place all the necessary computer accounts into the OU.

2.
Create a new domain group policy called HQWorkstationsRestrictedGroupGPO and open it for editing.

3.
Click the Computer Configuration node, expand Policies, expand Windows Settings, expand Security Settings, and then select Restricted Groups. Add a group but do not specify the Administrators group; instead, specify the COMPANYABC\IT group.

4.
In the properties of the COMPANYABC\IT restricted group, click the Add button in the This Group Is a Member Of section. In the Add window, do not browse; simply type in Administrators and click OK. The properties of the group should appear, as shown in Figure 6.

Figure 6. Adding members to the local Administrators group using the Restricted Group Member of function.


5.
Click OK again to close the COMPANYABC\IT Restricted Group Properties window.

6.
Back in the Group Policy Management Editor window, close the GPO.

7.
In the Group Policy Management Console, link the new HQWorkstationsRestrictedGroupGPO policy to an OU with a computer account that can be used to test this policy.

8.
Log on to a system that the policy applies to using an account with Administrators group membership, and verify the membership of the local Administrators group, as shown in Figure 7.

Figure 7. Verify that the restricted groups policy has updated the local Administrators group membership.


9.
Log off of the workstation and log back on to the Windows Server 2008 R2 system. Link the GPO to the appropriate organizational unit.

Configuring restricted groups to manage domain groups can be performed using the same steps as previously outlined. The only difference is that the GPO will need to be linked to the Domain Controllers organizational unit, or the domain itself. Even if membership or member of configuration of a group is managed with restricted groups, it does not prevent users with the correct access from modifying the membership of these groups between Group Policy refresh cycles. To mitigate this, try to keep the membership of Administrators, Domain Admins, Account Operators, and Enterprise Admins in the domain to a minimum. On the local systems, try to keep the local Administrators group membership limited as well.

Top Search -----------------
- Windows Server 2008 R2 : Work with RAID Volumes - Understand RAID Levels & Implement RAID
- Windows Server 2008 R2 Administration : Managing Printers with the Print Management Console
- Configuring Email Settings in Windows Small Business Server 2011
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Implement Permissions
- Monitoring Exchange Server 2010 : Monitoring Mail Flow
- Windows Server 2008 R2 :Task Scheduler
- Windows Server 2008 R2 : File Server Resource Manager
- Windows Server 2008 R2 : Installing DFS
- Exchange Server 2010 : Managing Anti-Spam and Antivirus Countermeasures
- Windows Server 2008 R2 : Configuring Folder Security, Access, and Replication - Share Folders
Other -----------------
- Windows Server 2008 R2 : Managing Users with Policies
- BizTalk 2010 Recipes : Document Schemas - Creating Flat File Schemas via the Wizard
- BizTalk 2010 Recipes : Document Schemas - Creating Flat File Schemas
- SharePoint 2010 : Testing the Three-State Workflow
- SharePoint 2010 : Reviewing the Workflow-Related Settings in Central Administration and Site Settings
- SharePoint 2010 : Defining Workflows in the Business Environment
- Exchange Server 2010 : Setting Up Public Folders (part 5) - Create and Configure a Public Folder
- Exchange Server 2010 : Setting Up Public Folders (part 4) - Create and Configure a Dynamic Distribution Group
- Exchange Server 2010 : Setting Up Public Folders (part 3)
- Exchange Server 2010 : Setting Up Public Folders (part 2) - Mail-Enable Public Folder & Configuring Public Folder Limits
 
 
Most view of day
- Windows Server 2008 Server Core : Compressing Data with the Compact Utility
- Manage the Active Directory Domain Services Schema : Remove Attributes from the Index
- Add an InfoPath Form Web Part to a SharePoint Web Part Page
- Microsoft Systems Management Server 2003 : Defining Parent-Child Relationships (part 2) - Installing the Secondary Site Locally from the SMS CD
- Windows Server 2003 : Analyzing Traffic Using Network Monitor (part 1)
- BizTalk 2009 : Host Integration Server 2009 - Planning Your Host Integration Server Topology
- Using Windows Live Programs (part 2) - Using Windows Live Mail
Top 10
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 8) - Administering a Failover Cluster
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 7) - Create shared folder on cluster, Testing Failover of Cluster
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 6) - Add primary storage to cluster, Configure service or application
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 5) - Creating a new Failover Cluster
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 4) - Verifying cluster configuration using the Cluster Validation Wizard
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 3) - Connecting cluster nodes to shared storage
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 2) - Adding Failover Clustering feature
- Windows Server 2008 R2 high-availability and recovery features : Installing and Administering Failover Clustering (part 1) - Failover Clustering prerequisites
- Working in the Background : WORKING WITH THE NETWORK LIST MANAGER
- Working in the Background : IMPLEMENTING APPLICATION RESTART AND RECOVERY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro