Using restricted groups in Active Directory

Using restricted groups is something very simple and still for many very confusing. Using restricted groups you can delegate administration or other roles to certain groups without giving these groups administrative rights to your Active Directory.

As an example, let’s say you have a helpdesk working in your company. For them to work as efficiently as possible they might need to login as Administrators to a client computer to fix various problems. Sometimes (read most times) you don’t want your helpdesk having Domain level Administrative rights because they might, even unknowingly, mess something up in your production domain. To deal with this we use Restricted groups. Restricted groups are provided by Active Directory group policies, they provide us a way to centrally drop in certain Active directory groups to computers local groups, yes computer local groups. They don’t have to administrative groups, they might be anything from backup users to Power Users.


Setting up restricted groups

Let’s take a look at how to set up our Helpdesk scenario. First we need to create the group (unless you already have one). So start up Active Directory Users And Computers and place the group in an Organizational Unit (OU) fitting your needs. I will use the OU HelpDesk. In the OU I will create a Global Security group called HelpDeskAdmins. I also have a user Helmer Help in my OU and he will be, for now, the only member of HelpDeskAdmins.

aduc1

Now we have a group and a user to test with so let’s get on by creating our Group policy to enforce this setting.

Creating the restricted groups group policy object

If you don’t have Group policy management console installed you can download it from http://www.microsoft.com/DownLoads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

So let’s create a new group policy called HelpDesk Privleges and link it to any existing OU containing the computers you want the helpdesk users to be able to manage. In my lab this is the Sales OU. Now edit the created and linked GPO.  Navigate to Computer Settings\Windows Settings\Security Settings\Restricted Groups.

Right click in the viewer and select Add group. Type or browse for your group, in my case CORP\HelpDeskAdmins

add_grp1

Hit OK and you’ll be presented with the CORP\HelpDeskAdmins Properties window. The tab says Configure Membership for CORP\HelpDeskAdmins. You have to boxes to fill in here. Members of this group and This group is a member of. If you set the Members of this group it will WIPE any other user or group from the defined local group. Simply, if the user/group is not set in the Members of this group it will be removed from the local group also. Wiped, gone, bye.

That’s not what we are out to do here, we simply want to add a group to the client computers Administrators group. So we use the This group is a member of box and enter the local Administrators group named, Administrators by selecting ad and typing the name.

group_members

That’s it. Save and check the policy is linked to a OU.

image 

To test the scenario I’m logging in to a Windows Vista client with the Help desk employee Helmer Help, and delete an old local user Mats. If the computer hasn’t updated it’s group policies you can speed it up by running gpupdate /force. If you’re logged in as the same user you want to use as an helpdesk user log out and in again to get the correct permissions.

Check the privileges

Now let’s se if our group has been added to the Local Administrators and I’ll delete the old local account to demonstrate Helmer has administrative privileges. So go to Controll Panel\Administative Tools\Computer Management\Local Users and Groups\Groups. Open  Administrators and behold, CORP\HelpDeskAdmins has been added to Administrators.

image

And as you can se we also have a Local account called Mats so let’s delete it to try out our new godlike powers.

image

There you have it. Now Help desk workers are able to work on client computers with administrative privileges without messing up anything else. And since this is according to organizational units you can restrict different help desks to different OU:s.

Conclusion

Restricted groups in Group policies are a simple way of delegating permissions or group membership centrally to any domain computer or server. Using restricted groups it is easier to enforce the lowest possible permissions to any given account.

If you have any comments or questions about using restricted groups don’t hesitate to drop me a line by commenting.

Related posts:

  1. Upgrade to / install Adobe Acrobat Reader 9 centrally using Active Directory group policies. In January 2008 I published an article Installing Adobe...
  2. Find stale / dead / removed computers or users from Active Directory using oldcmp from JoeWare.net I noticed our Active Directory domain and Windows Server Update...

Comments

    Student Brands posted the comment on November 23rd, 2009

  1. Thanks for the info, Good job.

    Thanks again

    2. Shaikh Shoaib posted the comment on September 24th, 2010

  2. Best and easiest guide to restrictive groups for AD users on the internet.
    Everything explained in plain words – just what I needed. thanks

    3. Mats Hellman posted the comment on September 24th, 2010

  3. Thanks Shaikh,
    I always found this to be a simple thing that has been explained to complex in most guides.

    4. JT posted the comment on April 28th, 2011

  4. You Rock!

    Simple and effective. Why can’t Microsoft hire people who are capable of describing simple concepts. Well done!

    5. Mats Hellman posted the comment on April 29th, 2011

  5. Thanks JT,
    I had the same problem when I first started experimenting with Restricted groups. So I just had to write it down to remember it the next time.

    6. SCOM Install step by step « diegomirner posted the comment on October 7th, 2011

  6. [...] http://www.nixadmins.net/2009/10/21/using-restricted-groups-in-active-directory/ [...]