Control Group Membership with Group Policy and Preferences

Courtesy of lusi @ RGBStock.com

Microsoft created two ways to control local and domain security groups membership. One is Restricted Groups, which can be set in the “Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups” node of a group policy object. Right-click the node, and specify the group to be managed. Any group on the local computer or in Active Directory can be restricted in both the “Members” tab and the “Members of” tab. It is important to add all desired users and groups to the tabs because any existing members will be removed when the group policy is applied. More than one administrator accidentally removed their own account from a restricted group by not adding it in a policy. If a group is restricted in Group Policy, its membership can no longer be managed in Active Directory Users and Computers, it must be managed in the Group Policy Object Editor. Any domain or local group can be managed using this method, and it’s effective at securing highly important groups such as Enterprise Admins and Schema Admins.

Group Policy Preferences offers an alternative way to manage local groups. With Preferences, local and domain accounts can be added to a local group without affecting the existing members of the group. With Preferences, group members can also still be added in Local Users and Groups. To apply preference settings to a group, use the “Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups” node. Right-click on the node, and select either the “Local User” or “Local Group” you wish to manage.

One difference between Preferences and Policies is that if you delete a restricted group’s group policy, the group membership changes caused by Restricted Groups are reversed. Changes made with Group Policy Preferences will persist if the group is removed. The existing Group Policy must be edited in order to restore the original members of the group before the policy is removed.

In this article

Join the Conversation

3 comments

  1. Nosa Reply

    What will happend after logout ?
    will the account stay in the security group after logout?

  2. Mark Reply

    Hi Nosa,

    It will stay in the group after logout.

    Mark

  3. Gareth Reply

    This article is not that well written. When you say:

    “It is important to add all desired users and groups to the tabs because any existing members will be removed when the group policy is applied.”

    This is correct if you add to “Member” section, but if you add the group to “Member Of” then the members are appended not replaced. I’ve never seen a good article written on this subject, Restricted groups are not that well understood.