Restricted Group GPOs

Adam Jones - Systems Engineer - Boston IT Consulting

Restricted Group GPOs give network administrators the power to centrally control and enforce local group membership on computers in your domain environment. Let’s say you need to assign a specific group of technical staff the ability to administer computers in a particular department. Creating a Restricted Group GPO will allow you to add this group of staff members to the Local Administrators group on all computer objects that reside in this department’s organizational unit. Because the accounts defined in your policy will override any previous settings on the computer this is also a useful way to ensure that the members of these groups are not modified by the local user. Since this policy replaces the default members, be sure to add the domain admins group and any other administrative accounts that your network requires on client computers.

To access the Restricted Groups node, navigate to the following path in any GPO:

Computer Configuration > Windows Settings > Security Settings > Restricted Groups

Note that when creating the group, you need to use the exact wording of the local group that you wish to modify. For example, when adding users to the local administrators group, create a restricted group titled exactly as Administrators in the right pane of the GPO window.