Restricted Groups.
I've never been able to fully get the grasp of restricted groups. No matter how many times I've seen a tech blog for it or had someone who has used them explain it to me. Didn't matter, I always failed. Today is a big day for me my friends. I kicked it's rear end.
I've been fighting this fight, losing it, since Windows Server 2003. I've NEVER been able to get it to work right. It's just been one thing I've never gotten but always wanted to. Thankfully a gentleman on the web somehow stumbled onto a way to explain it to me in a method I could digest.
I will take NO credit for this whatsoever but instead will provide a link back and a copy of his posting on this for validation. Great write up :
http://www.frickelsoft.net/blog/?p=13 I implemented this with NO problems. Sad to know this has been out there since 2006 and yet I never found it.
How To Use Restricted Groups? Part IPosted October 16, 2006
( – or: How can I add [Active Directory] user accounts into some? clients’ local Administrators group without touching each client?)
This article describes the feature “Restricted Groups” in Group Policy. This feature enables you – as the administrator – to configure group memberships on the client computers or member servers. You can add user accounts to groups on client machines that are in the scope of the policy.
As there are many questions about this in the newsgroups, I will come up with an example that shows how to put a group of Active Directory users into the local Administrators group on the clients.
For this article, I assume that you already created a global security group containing all users that shall become local Administrators on some client computers. In my example, the group is called “localAdmins”. The target (= client) computers reside in a specific OU.
If you’re using the Group Policy Editor, you navigate to the OU where the client computers reside and right-click it. Choose “Properties” and “Group Policy” where you create a new Policy and click “Edit”. You then navigate to:
CompConf\Windows Settings\Security Settings\ and then right-click “Restricted Groups” and choose “Add Group”.
You simply add the created group by clicking “Browse..” or typing the group name into the box.
After clicking “OK”, another beautiful window opens up, where you can find two boxes. The upper box, saying “Members of this group”, the lower one saying “This group is a member of”.
If you added users or groups into the “Members of this group” box, you would advise the Restricted Groups feature to put the users and groups you selected into the localAdmins group. Restricted Groups would thenreplace the current members of the localAdmins group with the users and groups you filled into the box. Please recognize my words, it would replace them – just wipe existing users out of the localAdmins group.
As we do not want to add users or other groups to our group, but add our localAdmins group the local Administrators group on our clients, we have a look at the lower box – labeled “This group is member of”. We click “Add” and type in the name of the group, we want localAdmins to be member of. In this case, it “Administrators”. We then simply click “OK” and “Apply” and close all windows. “This group is member of” advices “Restricted Groups” to add our localAdmins group into the “Administrators” group of the clients. The existing group members will not be touched – it simply adds our group.
