Using restricted groups is something very simple and still for many very confusing. Using restricted groups you can delegate administration or other roles to certain groups without giving these groups administrative rights to your Active Directory.
As an example, let’s say you have a helpdesk working in your company. For them to work as efficiently as possible they might need to login as Administrators to a client computer to fix various problems. Sometimes (read most times) you don’t want your helpdesk having Domain level Administrative rights because they might, even unknowingly, mess something up in your production domain. To deal with this we use Restricted groups. Restricted groups are provided by Active Directory group policies, they provide us a way to centrally drop in certain Active directory groups to computers local groups, yes computer local groups. They don’t have to administrative groups, they might be anything from backup users to Power Users.
Setting up restricted groups
Let’s take a look at how to set up our Helpdesk scenario. First we need to create the group (unless you already have one). So start up Active Directory Users And Computers and place the group in an Organizational Unit (OU) fitting your needs. I will use the OU HelpDesk. In the OU I will create a Global Security group called HelpDeskAdmins. I also have a user Helmer Help in my OU and he will be, for now, the only member of HelpDeskAdmins.
Now we have a group and a user to test with so let’s get on by creating our Group policy to enforce this setting.
Creating the restricted groups group policy object
If you don’t have Group policy management console installed you can download it from http://www.microsoft.com/DownLoads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
So let’s create a new group policy called HelpDesk Privleges and link it to any existing OU containing the computers you want the helpdesk users to be able to manage. In my lab this is the Sales OU. Now edit the created and linked GPO. Navigate to Computer Settings\Windows Settings\Security Settings\Restricted Groups.
Right click in the viewer and select Add group. Type or browse for your group, in my case CORP\HelpDeskAdmins
Hit OK and you’ll be presented with the CORP\HelpDeskAdmins Properties window. The tab says Configure Membership for CORP\HelpDeskAdmins. You have to boxes to fill in here. Members of this group and This group is a member of. If you set the Members of this group it will WIPE any other user or group from the defined local group. Simply, if the user/group is not set in the Members of this group it will be removed from the local group also. Wiped, gone, bye.
That’s not what we are out to do here, we simply want to add a group to the client computers Administrators group. So we use the This group is a member of box and enter the local Administrators group named, Administrators by selecting ad and typing the name.
That’s it. Save and check the policy is linked to a OU.
To test the scenario I’m logging in to a Windows Vista client with the Help desk employee Helmer Help, and delete an old local user Mats. If the computer hasn’t updated it’s group policies you can speed it up by running gpupdate /force. If you’re logged in as the same user you want to use as an helpdesk user log out and in again to get the correct permissions.
Check the privileges
Now let’s se if our group has been added to the Local Administrators and I’ll delete the old local account to demonstrate Helmer has administrative privileges. So go to Controll Panel\Administative Tools\Computer Management\Local Users and Groups\Groups. Open Administrators and behold, CORP\HelpDeskAdmins has been added to Administrators.
And as you can se we also have a Local account called Mats so let’s delete it to try out our new godlike powers.
There you have it. Now Help desk workers are able to work on client computers with administrative privileges without messing up anything else. And since this is according to organizational units you can restrict different help desks to different OU:s.
Conclusion
Restricted groups in Group policies are a simple way of delegating permissions or group membership centrally to any domain computer or server. Using restricted groups it is easier to enforce the lowest possible permissions to any given account.
If you have any comments or questions about using restricted groups don’t hesitate to drop me a line by commenting.
Thanks for the info, Good job.
Thanks again
Best and easiest guide to restrictive groups for AD users on the internet.
Everything explained in plain words – just what I needed. thanks
Thanks Shaikh,
I always found this to be a simple thing that has been explained to complex in most guides.
You Rock!
Simple and effective. Why can’t Microsoft hire people who are capable of describing simple concepts. Well done!
Thanks JT,
I had the same problem when I first started experimenting with Restricted groups. So I just had to write it down to remember it the next time.
[...] http://www.nixadmins.net/2009/10/21/using-restricted-groups-in-active-directory/ [...]
Very nice article!
I’ve been doing MCITP since 2010 and only now for the first time I fully understood Restricted Groups, thanks to this article explained clearly with simple concepts. Many thanks to the author.
Thank’s for the kind words Manel. This is exactly the reason why I created this site in the first place, and I’m really glad the article helped you.
Hi,
That is a good article above. I have a few questions regarding the Restrited groups. Hope you will answer them.
Instead of adding an already existing group(in AD) to the restricted groups, i will create a new group at the time of adding a new group in Restricted groups and i will add the existing users(in AD) as the members of this restricted group. I will also add the Administrators group in the “This group is a member of” section. now, will the users get the full local administrative rights on the client computers.?
Answer me..
Thanks,
Vinay.
Hi Vinay, not sure what you are trying to do. As the article states you select the group you need first. Then the setting this group is a member of, as the name states adds the previously selected group to this group. So if you define Administrators here, users in the “first” group will have Administrative rights, if you select Backup Operators they will have backup operator rights and so on.
Try this in a lab if you feel unsure, it’s really easy once you get a hang of it. And the lab is where you should experiment anyway, right?