/ BLOG / Group policy "Restricted Groups"

Restricted Groups is a part of the GPO Computer configuration tree that I’ve not ever used until today, primarily because I’d never looked into what it does exactly, and partially because it has a misleading name (in my mind) and I assumed that it did something else.

What this feature allows you to do is configure member ship of groups within Active Directory or in the local groups of domain computers. It’s also available in the local security policy (naturally), so you can also use it on a standalone machine (although I’d imagine that in this situation it would be rather less useful).

Why do I now consider this setting important? Because it allows you to setup a GPO for an OU to allow users to be a member of a given local group, such as the Remote Desktop Users, for instance. This first example is useful to me as I didn’t want users to be a member of the AD Remote Desktop Users group and have RDP access all over the network by default. This allows me to add a group of users to the local RDU group, and now setup a Terminal Server entirely automatically once it’s been added to the correct OU.

The second example is forcing membership to the local administrators group. This is useful in stopping fiddlers (who “require” local administrator rights on laptops) from removing Domain Admins, or other groups and users, from the local admin group. Whilst I’ve only ever been locked out of a user’s laptop once because of this, I’d rather not go through that again.

Another benefit of using the setting is that it will automatically remove any local user accounts that should not be a member of the local admins group. I’m sure you can imagine why this is useful!