Configuring Restricted Groups for Domain Security Groups
A great feature of group
policies that commonly goes unused is restricted groups. Restricted
groups Group Policy settings allow an administrator to manage the
membership of local groups on domain member servers and workstations.
Restricted groups can also be leveraged to manage the membership of
domain security groups when applied to the appropriate domain or the
domain controllers organizational unit.
Note
Unless the impact is
completely understood and desired, never link a group policy with
restricted group settings to a domain or a site object because the
settings will be inherited by all computers in the domain or site,
including domain controllers and Active Directory security groups. If
linking this policy to a domain or site is required, make sure to use
security or WMI filtering to exclude domain controllers and any
additional systems as required if Active Directory security groups
should not be managed by the policy.
Restricted groups can be used
to populate and control the members of a designated group, or they can
be used to add members to a specific group. Using restricted groups
requires a deep understanding of how the settings work and GPO modeling
should always be used before linking a restricted group GPO to an Active
Directory site, domain, or organizational unit. There are a few
scenarios that Group Policy administrators and organizations commonly
utilize restricted groups domain policies for and these scenarios
include, but are not limited to, the following:
Define and
restrict the membership of a local or domain security group by adding
users or other groups using the members setting of restricted groups.
Add
universal and global domain groups to local computer or local domain
groups using the member of setting of restricted groups.
Of course, defining the membership of groups is still limited by the domain functional level when it comes to group nesting.
Controlling Group Membership Using Restricted Groups
Restricted groups can be used
to control the membership of a group using the member setting, which is
detailed next. When this setting is defined for a group, only the
members added to this list will be a member of the group and any
existing members will be removed when the policy is applied or
refreshed. The only exception to this rule is when the local
Administrator user account is a member of a member server Administrators
local group or the Administrators domain security group. The same
exception applies to managing the membership of domain groups, if the
Administrator account in the domain is a member of the Administrators
domain group, this account will remain even when a restricted group
member setting is defined that does not include the Administrator
account. This does not apply to any other security group that the
Administrator account is a member of.
The restricted
groups Administrator account exception was added as a fix with specific
service pack revisions so if the computers in the organization are not
up to date on supported operating systems and current service pack
revisions, the administrator account can be removed by a restricted
groups member policy. As a best practice, when the local or domain
administrator account needs to be a member of a restricted group, do not
count on the GPO to leave it in; instead, define it within the member
policy setting. As an example of how to control membership of a local
group on a member server or workstation using restricted groups, perform
the following steps:
1. | Log on to a designated Windows Server 2008 R2 administrative server.
|
2. | Open the Group Policy Management Console from the Administrative Tools menu.
|
3. | Add the necessary domains to the GPMC as required.
|
4. | Expand the Domains node to reveal the Group Policy Objects container.
|
5. | Create a new GPO named NetCfgOpsRestrictedGroupGPO.
|
6. | Open
the NetCfgOpsRestrictedGroupGPO policy for editing and in the Group
Policy Management Editor, expand the Computer Configuration node, expand
Policies, expand Windows Settings, expand the Security Settings node,
and select Restricted Groups.
|
7. | In the tree pane, right-click the Restricted Groups node and select Add Group.
|
8. | When the Add Group window opens, do not browse; just type in Network Configuration Operators and click OK.
|
9. | When the Network Configuration Operators window opens, click the Add button in the Members of This Group section.
|
10. | When
the Add Member window opens, type in the name of a user or group and
click OK, or click the Browse button to locate and select users and/or
groups, click OK, and click OK again. Domain accounts should be entered
as domain\username and multiple entries should be separated by
semicolons.
|
11. | After all the entries are added, click OK to finalize the settings, as shown in Figure 5.
|
12. | Back in the Group Policy Management Editor window, close the GPO.
|
13. | In
the GPMC, link the new NetCfgOpsRestrictedGroupGPO policy to an OU with
a computer account that can be used to test this policy. Network
Configuration Operators groups exist in Windows XP, Windows Server 2003,
Windows Server 2008, Windows Vista, and Windows 7 systems.
|
14. | Log
on to a system to which the policy applies with an account with
administrative privileges and verify the membership of the group. If the
policy has not yet been applied, run the gpdate.exe /force command in a Command Prompt window.
|
15. | Add additional users to the group and reapply the GPO by running the gpupdate.exe /force command in a Command Prompt window. Verify that the new users have been removed by the domain group policy.
|
16. | Log
off of the workstation and log back on to the Windows Server 2008 R2
system. Link the GPO to the appropriate organizational unit to complete
this task.
|
Using this function
of restricted groups is not recommended for the Administrators local
group on domain workstations or in Active Directory unless the
organization is certain that no users have been added to allow for
legacy application or other additional rights. For this example, the
Network Configuration Operators group membership has been defined by the
policy. This group has the rights to completely manage and configure
network settings of the computer.
Modifying Group Membership Using Restricted Groups
When defining the membership of
a group is not the desired change, the Restricted Groups Member of
function can be used. This is a less-invasive method of updating or
modifying group membership using domain policies. As an example, if an
organization wants to add the COMPANYABC\IT domain security group to the
local Administrators group of all computers in the HQ Workstations
organizational unit, the following process can be followed:
1. | Create an OU called HQ Workstations and place all the necessary computer accounts into the OU.
|
2. | Create a new domain group policy called HQWorkstationsRestrictedGroupGPO and open it for editing.
|
3. | Click
the Computer Configuration node, expand Policies, expand Windows
Settings, expand Security Settings, and then select Restricted Groups.
Add a group but do not specify the Administrators group; instead,
specify the COMPANYABC\IT group.
|
4. | In
the properties of the COMPANYABC\IT restricted group, click the Add
button in the This Group Is a Member Of section. In the Add window, do
not browse; simply type in Administrators and click OK. The properties of the group should appear, as shown in Figure 6.
|
5. | Click OK again to close the COMPANYABC\IT Restricted Group Properties window.
|
6. | Back in the Group Policy Management Editor window, close the GPO.
|
7. | In
the Group Policy Management Console, link the new
HQWorkstationsRestrictedGroupGPO policy to an OU with a computer account
that can be used to test this policy.
|
8. | Log
on to a system that the policy applies to using an account with
Administrators group membership, and verify the membership of the local
Administrators group, as shown in Figure 7.
|
9. | Log
off of the workstation and log back on to the Windows Server 2008 R2
system. Link the GPO to the appropriate organizational unit.
|
Configuring restricted
groups to manage domain groups can be performed using the same steps as
previously outlined. The only difference is that the GPO will need to be
linked to the Domain Controllers organizational unit, or the domain
itself. Even if membership or member of configuration of a group is
managed with restricted groups, it does not prevent users with the
correct access from modifying the membership of these groups between
Group Policy refresh cycles. To mitigate this, try to keep the
membership of Administrators, Domain Admins, Account Operators, and
Enterprise Admins in the domain to a minimum. On the local systems, try
to keep the local Administrators group membership limited as well.
