The magic of Group Policy in an Active Directory environment is that it can reach out and touch so many computers that it can automate many tasks for you while being flexible enough to target only the computers you want. Adding Active Directory users or groups to local groups with the Restricted Groups setting is only another example of that. However, it is one of the more confusing settings that I, at least, have a little difficulty wrapping my head around. That’s what makes it worth writing down.
The policy for Restricted Groups is documented in Microsoft’s KB article 279301 but it hardly does the topic justice in clarifying a setting that could result in a lot of work if misconfigured.
Let’s say you have an environment with a small IT staff of 3 people. For better or worse, all 100 staff members are added to the local administrators group of the individual computers they work at daily. You want your 3 IT staff to be administrators on all the computers but you don’t want to go around to each computer and update the local administrators group. One good approach of accomplishing this would be to create a group in Active Directory Users and Computers and add the three staff members to the group. Then, we’re going to create a Group Policy that affects the 100 staff computers. The policy setting you’re looking for is called Restricted Groups. It’s under Policies, Windows Settings, Security Settings. Once at Restricted Groups, you can right-click on the middle pane and choose to Add Group… Enter your group of IT staff.
Next, you’ll be presented with the possibly confusing screen of this policy. You have two areas to optionally fill in.
Members of this group:
Users or groups in this section will be added to the Dept Admins group (or the Restricted Group you’re adding). It will replace any users in the Dept Admins group not in this list and add any to the group that are not already members.
This group is a member of:
Add the local group that you want your group to be a member of. This will add your group to the group membership without replacing others.
Since we want to add our Dept Admins group to the local Administrators group we would leave the ‘Members of this group’ section blank and add ‘Administrators’ to the “This group is a member of” section (as pictured below). This would add Dept Admins group to the local Administrators group will keeping the current membership on each individual computer intact.
If we wanted to remove all of our individuals from being in the local Administrators group, we could create a new Restricted Groups policy. We would start by saying the Administrators group is the one we want to add. We would then add users to the ‘Members of this group’ field like the local Administrator account and the Dept Admins group. This would take out all of the individuals and others from the local BuiltinAdministrators group while adding our Dept Admins group.
If a computer falls out of scope from this policy or the policy is removed, the computer will revert to what was locally listed before the policy.
Even if you use the ‘Members’ setting, the local Administrator account will remain in the local Administrators group.
You may run into different circumstances than predicted if you start mixing policies and the Members and Member of settings across different GPOs of various hierarchy. See KB 925443 for examples.
You can use Group Policy Preferences to create local Groups and add AD users and groups as members. The setting is under Computer Configuration or User Configuration PreferencesControl Panel SettingsLocal Users and Groups.