Post

What is Restricted Groups?

Posted Updated
By
2 min read

Specifying and limiting which accounts on computers can be members of local groups can sometimes be necessary on systems running in an AD domain. Specifically, the local administrators group is the group with the highest privileges on computers in the domain. User accounts that are members of this group can perform operations such as uninstalling, installing, writing and executing programs, adding new members, etc. Also, by default, the Domain Administrators group is a member of the Local Administrators group for the entire domain. (** I recommend removing this for security purposes) Therefore, specifying and limiting which accounts can be members of these groups is very important for security purposes.

The Restricted Groups policy setting has been around since the earliest versions of Windows. However, it is not as comprehensive or flexible as the Preferences/Local Users and Groups policy setting. It has one purpose: to compare the list sent through this policy to Clients and purge members in local groups that are not included in the GPO (even if added by the client administrator)

How do I make a Restricted Groups Policy?

Computer Configuration > Windows Settings > Security Settings > Restricted Groups > Add Group

You can directly type the name of the local group you want to control, or you can find a Computer Account in the AD structure by clicking Browse and select the local group name via the remote computer account.

Information:
- Domain administrators group can be added here, but it poses a potential security risk.
- This can be applied based on policy (Computer Configuration). For this reason, computer accounts must be included under the OU to which the Restricted Groups policy setting is linked.
- Another feature of this policy is that when this GPO is removed, the remnants in the SAM database on the clients are cleaned up and returned to their original state.

**NOTE

1# Members of this group: In this section, (**Add Group) you should add the user accounts or groups you want to make members of the group you selected as the target. It is more strict and will delete all other members, it works as Overwrite. (***If the target group is left blank, all members except the administrator on the client side will be deleted.)

2# This group is a member of: This section is more secure and healthy. (Existing members in the group you target will not be deleted and because it does not work as Overwrite, so you will not break the target group) You can only create a default group or a specific group (**ITHelpdesk, etc.) and add it to the target group. Unfortunately, this section is not strict and you will tolerate members added by client admins, This may pose a security risk.

Hope it is useful. – Best regards.

Windows Group Policy GPO
This post is licensed under CC BY 4.0 by the author.