Friday, September 11, 2009

“Restricted Groups” in Group Policy

Ever had to add users to a local admin group but had no access to the computer? Add a special user account in the Administrator group of every computer on the network for remote administrative functions?
Group Policy Restricted Groups enables you - as the administrator - to configure group memberships on the client computers or member servers. Cool. Useful!!!

The “Restricted Groups” option allow 2 types of settings:
Members Of

Members– This setting allows you to control the members of the group that you specify for the policy. The members can include both user and group accounts. When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO. If you were to configure this setting and leave the members blank, then the group would not have any members after the GPO applied to the computer.

Member Of – This setting allows you to control which other groups the specified group has membership in. All groups that you configure in this interface must meet the approved group nesting rules. Therefore, you can’t configure a local group to have membership in another group, since local groups can’t be placed in Active Directory groups, nor placed in other local groups. If the list of groups in this section is left blank, it will not remove the specified group from any existing groups, it will just not place it in additional groups.

Simple yet an efficient time saver.

Derek Melber wrote a good security piece on restricted groups

No comments:

Post a Comment