Microsoft created two ways to control local and domain security groups membership. One is Restricted Groups, which can be set in the “Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups” node of a group policy object. Right-click the node, and specify the group to be managed. Any group on the local computer or in Active Directory can be restricted in both the “Members” tab and the “Members of” tab. It is important to add all desired users and groups to the tabs because any existing members will be removed when the group policy is applied. More than one administrator accidentally removed their own account from a restricted group by not adding it in a policy. If a group is restricted in Group Policy, its membership can no longer be managed in Active Directory Users and Computers, it must be managed in the Group Policy Object Editor. Any domain or local group can be managed using this method, and it’s effective at securing highly important groups such as Enterprise Admins and Schema Admins.
Group Policy Preferences offers an alternative way to manage local groups. With Preferences, local and domain accounts can be added to a local group without affecting the existing members of the group. With Preferences, group members can also still be added in Local Users and Groups. To apply preference settings to a group, use the “Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups” node. Right-click on the node, and select either the “Local User” or “Local Group” you wish to manage.
One difference between Preferences and Policies is that if you delete a restricted group’s group policy, the group membership changes caused by Restricted Groups are reversed. Changes made with Group Policy Preferences will persist if the group is removed. The existing Group Policy must be edited in order to restore the original members of the group before the policy is removed.