As an example, let’s say you have a helpdesk working in your company. For them to work as efficiently as possible they might need to login as Administrators to a client computer to fix various problems. Sometimes (read most times) you don’t want your helpdesk having Domain level Administrative rights because they might, even unknowingly, mess something up in your production domain. To deal with this we use Restricted groups. Restricted groups are provided by Active Directory group policies, they provide us a way to centrally drop in certain Active directory groups to computers local groups, yes computer local groups. They don’t have to administrative groups, they might be anything from backup users to Power Users.

Setting up restricted groups

Let’s take a look at how to set up our Helpdesk scenario. First we need to create the group (unless you already have one). So start up Active Directory Users And Computers and place the group in an Organizational Unit (OU) fitting your needs. I will use the OU HelpDesk. In the OU I will create a Global Security group called HelpDeskAdmins. I also have a user Helmer Help in my OU and he will be, for now, the only member of HelpDeskAdmins.

Now we have a group and a user to test with so let’s get on by creating our Group policy to enforce this setting.

Creating the restricted groups group policy object

If you don’t have Group policy management console installed you can download it from http://www.microsoft.com/DownLoads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

So let’s create a new group policy called HelpDesk Privleges and link it to any existing OU containing the computers you want the helpdesk users to be able to manage. In my lab this is the Sales OU. Now edit the created and linked GPO.  Navigate to Computer Settings\Windows Settings\Security Settings\Restricted Groups.

Right click in the viewer and select Add group. Type or browse for your group, in my case CORP\HelpDeskAdmins

Hit OK and you’ll be presented with the CORP\HelpDeskAdmins Properties window. The tab says Configure Membership for CORP\HelpDeskAdmins. You have to boxes to fill in here. Members of this group and This group is a member of. If you set the Members of this group it will WIPE any other user or group from the defined local group. Simply, if the user/group is not set in the Members of this group it will be removed from the local group also. Wiped, gone, bye.

That’s not what we are out to do here, we simply want to add a group to the client computers Administrators group. So we use the This group is a member of box and enter the local Administrators group named, Administrators by selecting ad and typing the name.

That’s it. Save and check the policy is linked to a OU.

To test the scenario I’m logging in to a Windows Vista client with the Help desk employee Helmer Help, and delete an old local user Mats. If the computer hasn’t updated it’s group policies you can speed it up by running gpupdate /force. If you’re logged in as the same user you want to use as an helpdesk user log out and in again to get the correct permissions.

Check the privileges

Now let’s se if our group has been added to the Local Administrators and I’ll delete the old local account to demonstrate Helmer has administrative privileges. So go to Controll Panel\Administative Tools\Computer Management\Local Users and Groups\Groups. Open  Administrators and behold, CORP\HelpDeskAdmins has been added to Administrators.

And as you can se we also have a Local account called Mats so let’s delete it to try out our new godlike powers.

There you have it. Now Help desk workers are able to work on client computers with administrative privileges without messing up anything else. And since this is according to organizational units you can restrict different help desks to different OU:s.

Conclusion

Restricted groups in Group policies are a simple way of delegating permissions or group membership centrally to any domain computer or server. Using restricted groups it is easier to enforce the lowest possible permissions to any given account.

If you have any comments or questions about using restricted groups don’t hesitate to drop me a line by commenting.