Security SettingsĀ  – Restricted Groups

Security Settings – Restricted Groups

One scenario where you may want to configure a policy for Restricted Groups is for member servers. What could happen is that a local administrator removes the Domain Administrators from the local administrators group.  This action would make it difficult for you to administer that server.  By enforcing Restricted Groups, you could ensure that Domain Admins were always a member of the local administrators global group.

Security Settings

     Account Policies

     Local Policies

     Event Log

     Restricted Groups

  ‡

Understanding Members and MemberOf

From a technical point of view this is a curious policy.  To start with there is no policy – you have to create one.  Fortunately, creating a Restricted Group policy is easy.  However configuring can be confusing as there are two similar properties, Members and Member Of.

The plain ‘Members’ list defines who belongs to the restricted group. Whilst the ‘MemberOf’ list, specifies which other groups the restricted group itself, belongs to.

When you enforce a Restricted Groups policy, any current member that is not on the Members list is removed.  Equally, any user on the Members list who is not currently a member of the restricted group is added to that group.

The ‘Reverse membership’ configuration ensures that each Restricted Group is a member of only those groups that are specified in the Member Of column.

Monitor Your Network with the Real-time Traffic AnalyzerSolarwinds Real-time Traffic Analyzer

The main reason to monitor your network is to check that your all your servers are available.  If there is a network problem you want an interface to show the scope of the problem at a glance.

Even when all servers and routers are available, sooner or later you will be curious to know who, or what, is hogging your precious network’s bandwidth.  A GUI showing the top 10 users makes interesting reading.

Another reason to monitor network traffic is to learn more about your server’s response times and the use of resources.  To take the pain out of capturing frames and analysing the raw data, Guy recommends that you download a copy of the SolarWindsfree Real-time NetFlow Analyzer.

Implementing Restricted Group Policy.Group Policy Restricted Groups

As ever, when you are not sure what to do, right-click.  So from the Restricted Group folder, right-click, Properties, Add Group.  Next make your selection for the Members and Members Of boxes.

Now that you understand how restricted groups work, you come to the strategic decision about how to implement them.  The philosophy here is that you do not want anyone to sneak in extra members of key groups such as administrators.  You can extend the principle to politically sensitive groups that you created, for example Mangers, Bosses, or Downsizing Committee.

Who needs this policy?  Companies that are so big that you have lots of administrators and you want to control membership of key groups.


Group Policy ebook Windows 2003Download my ‘Master Group Policies’ ebook only $6.25

The extra features you get in your eBook include: Spreadsheet with over 850 policies.  Printer friendly version over Word A4 pages in Word.


See more security Group Policies

Group Policies   •Troubleshooting Group Policies   •Security Options

Group Policy Overview  • Group Policy Tactics  •Security Restricted Groups 

Security System Services   • Security Audit   •Security Event Log

If you like this page then please share it with your friends