Restricted Groups

Using Group Policy Restricted Groups

Since starting work at Primark, I’ve learnt tonnes, and loving it. Today however, was the exception in that I tried to demonstrate something to a colleague about how to use Restricted Groups in a Group Policy Object ‘in reverse’, but I couldn’t recall how to do it, leaving me feeling somewhat inadequate.

Under normal use, the Restricted Groups component of a Group Policy object allows you to restrict the membership of a particular group to selected members. The most common use case for this is at the end-user desktop level to ensure that no users are able to add themselves by hook or crook to the local Administrators group (assuming you don’t give your users Administrator permissions in the first place).

imageThe flip of this is that in some circumstances , more commonly on servers, you may want to supplement the Administrators group with additional members, but not remove any existing additions to the group.

To achieve this configuration, right-click on the Restricted Groups list item in the MMC Console and select Add Groups. When asked to specify the name of the group you wish to add, under normal circumstances, you would enter the name of the group that you want to control permissions (Eg. Administrators), however in this example you enter the name of the group that you want to add to Administrators.

When the dialog appears, in the “This group is a member of” section, add the Administrators group.

This change is normal configuration allows you to add specified groups to existing groups as desired.