This means that if you use the Members section; only the security principals you select will be members of a restricted group, all existing members of the group will be removed. If you use the Member Of section your group is only added to the restricted group. With Restricted Groups there are two approaches; using the Members section or using the Member Of section. In the first case, the restricted group is Administrators, and we add Domain Users as a member.
When using the Members section like this, all existing members of the Administrators group will be removed for all computers where this policy is applied. In the second case the Restricted Group is Domain Users, and we specify that it should be a member of Administrators. When using the Member Of section like this, the existing membership of the Administrators group is preserved and Domain Users is simply added on all computers where this policy is applied.
In either case your policy should be linked to an OU where the computers on which you want the policy applied are located. The section where the Restricted Groups info is stored is called Group Membership. This is important as we will see later. The problem with the Restricted Groups interface is that it allows you to either browse for a group name or enter one manually. It is very important to understand what happens in each case.
If you enter a name manually ; the name ends up in the INF file. Figure 4: Example GptTmpl. I this example GptTmpl. Manually entered names, of either groups or users, are only valid if the computer applying the policy can resolve them.
If you want to control the membership of the local Administrators group on computers and enter the name Administrators manually into the Restricted Groups interface; your policy will only work on computers where the local Administrators group is named exactly Administrators not case-sensitive. Meaning that if the computer applying the policy is running a localized version of Windows, the policy will fail, because the Administrators group is not named Administrators, but has had its name translated into whatever language is running on the computer.
In this scenario it is better to use well-known SIDs in Restricted Groups to guarantee that the policy works on all versions of Windows. A security identifier SID is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems.
Their values remain constant across all operating systems. The same exception applies to managing the membership of domain groups, if the Administrator account in the domain is a member of the Administrators domain group, this account will remain even when a restricted group member setting is defined that does not include the Administrator account. This does not apply to any other security group that the Administrator account is a member of.
The restricted groups Administrator account exception was added as a fix with specific service pack revisions so if the computers in the organization are not up to date on supported operating systems and current service pack revisions, the administrator account can be removed by a restricted groups member policy. As a best practice, when the local or domain administrator account needs to be a member of a restricted group, do not count on the GPO to leave it in; instead, define it within the member policy setting.
As an example of how to control membership of a local group on a member server or workstation using restricted groups, perform the following steps:. Using this function of restricted groups is not recommended for the Administrators local group on domain workstations or in Active Directory unless the organization is certain that no users have been added to allow for legacy application or other additional rights.
For this example, the Network Configuration Operators group membership has been defined by the policy. This group has the rights to completely manage and configure network settings of the computer.
When defining the membership of a group is not the desired change, the Restricted Groups Member of function can be used. This is a less-invasive method of updating or modifying group membership using domain policies. Configuring restricted groups to manage domain groups can be performed using the same steps as previously outlined. The only difference is that the GPO will need to be linked to the Domain Controllers organizational unit, or the domain itself.
Even if membership or member of configuration of a group is managed with restricted groups, it does not prevent users with the correct access from modifying the membership of these groups between Group Policy refresh cycles.
To mitigate this, try to keep the membership of Administrators, Domain Admins, Account Operators, and Enterprise Admins in the domain to a minimum. On the local systems, try to keep the local Administrators group membership limited as well.
If you have any question feel free to contact me on rebeladm live. Your email address will not be published. Save my name, email, and website in this browser for the next time I comment. Rebeladmin Technical Blog contain more than articles. The site is older than 7 years and been updated regularly. Skip to primary navigation Skip to main content Skip to primary sidebar Skip to secondary sidebar Skip to footer.
Francis In previous post I explain about the different groups we can create in a domain environment. Next time when policy applied it will overwrite the current membership.
0コメント