Windows Tip Sheet

Are You Restrictive with Your Groups?

The miracle of Group Policy is that you can maintain tight reins on who has admin rights.

• By Don Jones
• 07/14/2004

Have you ever popped open the local Administrators group on a user's computer and wondered how all those user accounts got in there? Making one user a local Administrator is opening a door: That user can then add whoever he wants to the group, because, well, he's the Administrator. Wouldn't it be nice if you could somehow lock the group down, so that you could make a user a local Admin if needed, but prevent them from offering the same benefits to another user? You can, if you restrict group membership.

The miracle of Group Policy gives you a centralized means of controlling group membership. Pop open any Group Policy object (GPO) you've got handy, and navigate to Computer configuration > Windows Settings > Restricted Groups (you should find this in any Active Directory domain, 2000 and later). Right-click the Restricted Groups folder and select Add Group from the context menu. Select the group you want to restrict and then decide who gets to belong.

Restricting group membership via GPOs.

Quick tip: By eliminating all groups from the membership, you'll ensure that nobody is a member. Use caution, especially when playing with the built-in Administrators group.

Because this configuration is deployed through a GPO, you can apply different Restricted Groups configurations to different sites, OUs, or domains. For example, you might plunk your developers into one OU if you need to add them (via a group membership) to the local Administrators group on their machines. Modifying these groups through GPO is a lot more efficient than running around and doing it manually on a per-machine basis.

Restricted Groups can control any group on a computer, not just built-in groups like Administrators. If you've deployed your own local user groups for a specific application or other purpose, you can centrally lock down group membership right through a GPO. Keep in mind that Restricted Groups isn't additive; it's not "whatever's listed in the GPO plus whoever else gets added." What you list in the Restricted Groups section of the GPO is the sum total of groups' membership. In other words, you can use Restricted Groups to make a user an Admin and prevent that user from making anyone else an Admin.

Best practice: Put users into domain groups, and assign the domain groups to local groups by using Restricted Groups in a GPO (you come up with a sentence that uses the word "group" more times than that). Following this practice, you'll only have to modify your GPOs occasionally, and you can control all permissions using domain groups. Name those domain groups something that helps indicate their role in controlling local group membership: local_Administrators or local_PowerUsers, for example, makes it easier to tell that the members of those domain groups will wind up in the corresponding local groups.

Micro Tip Sheet Have you set up the perfect GPO and need to replicate it to another, standalone domain? You can. GPO files are stored in %systemroot%\SYSVOL\sysvol\domain\Policies\GUID, where GUID is the unique identifier for the GPO itself. You can run Gpotool.exe to find out each GPO's name and corresponding GUID, or just examine the properties of the GPO itself in the Group Policy Management Console (GPMC). In the target domain, create a new GPO and delete the contents of its GPO folder. Copy the appropriate GPO folder contents from the source domain to the new (and now empty) GPO folder in the destination domain. Shazam. Here's a cool GPO: Computer Configuration > Administrative Templates > System > Logon. The policy setting is "Delete cached copies of roaming profiles" and if you enable it, clients will automatically wipe out their local copy of a roaming profile at logoff. This is a useful security measure, although it obviously removes the ability to use that cached profile on, say, a laptop that sometimes isn't connected to the domain. On Windows XP, this policy setting is in Computer Configuration > Administrative Templates > System > User Profiles.

More Resources
Restricted Groups' functionality was updated in Windows 2000 SP4: http://support.microsoft.com/default.aspx?kbid=810076

Microsoft's docs on Restricted Groups: http://www.microsoft.com/resources/documentation/
WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/
resources/documentation/ WindowsServ/2003/standard/proddocs/
en-us/611.asp

The Land of All Answers to GPO Questions: www.gpoanswers.com

Accounts specified in Restricted Groups which are later deleted will cause unresolvable SIDs, and event log errors on your DCs: http://windows.ittoolbox.com/groups/groups.asp?v=activedirectory-l&i=476177