Security Settings – Restricted Groups
One scenario where you may want to configure a policy for Restricted Groups is for member servers. What could happen is that a local administrator removes the Domain Administrators from the local administrators group. This action would make it difficult for you to administer that server. By enforcing Restricted Groups, you could ensure that Domain Admins were always a member of the local administrators global group.
From a technical point of view this is a curious policy. To start with there is no policy – you have to create one. Fortunately, creating a Restricted Group policy is easy. However configuring can be confusing as there are two similar properties, Members and Member Of.
The plain ‘Members’ list defines who belongs to the restricted group. Whilst the ‘MemberOf’ list, specifies which other groups the restricted group itself, belongs to.
When you enforce a Restricted Groups policy, any current member that is not on the Members list is removed. Equally, any user on the Members list who is not currently a member of the restricted group is added to that group.
The ‘Reverse membership’ configuration ensures that each Restricted Group is a member of only those groups that are specified in the Member Of column.
The main reason to monitor your network is to check that your all your servers are available. If there is a network problem you want an interface to show the scope of the problem at a glance.
Even when all servers and routers are available, sooner or later you will be curious to know who, or what, is hogging your precious network’s bandwidth. A GUI showing the top 10 users makes interesting reading.
Another reason to monitor network traffic is to learn more about your server’s response times and the use of resources. To take the pain out of capturing frames and analysing the raw data, Guy recommends that you download a copy of the SolarWindsfree Real-time NetFlow Analyzer.
As ever, when you are not sure what to do, right-click. So from the Restricted Group folder, right-click, Properties, Add Group. Next make your selection for the Members and Members Of boxes.
Now that you understand how restricted groups work, you come to the strategic decision about how to implement them. The philosophy here is that you do not want anyone to sneak in extra members of key groups such as administrators. You can extend the principle to politically sensitive groups that you created, for example Mangers, Bosses, or Downsizing Committee.
Who needs this policy? Companies that are so big that you have lots of administrators and you want to control membership of key groups.
See more security Group Policies
If you like this page then please share it with your friends