
close
close
The task of being an IT or system manager in a medium or large organization usually means that you may need to manage hundreds, thousands or even tens of thousands of client computers, and hundreds or thousands of servers. Some management tasks on many of these computers are related to the need to control local group members on those workstations and servers, which in such numbers, means an almost impossible task if you have to do it manually.
Managing Local Active Directory Groups Article Series
Why bother with local groups when you already have Active Directory (AD) to manage the authentication and authorization of users in your organization? Although AD centralizes the management of user and computer identities and allows central management, you still need to use local groups to grant permissions and rights to these identities. For example, you many need to add a specific user account to the Local Administrator group of every computer on the network for the purpose of remote management or the use of specific applications. Another example may be when some cheeky user that has local admin rights on a workstation decides to remove the Domain Admins group from the Local Administrators group on their computer, which obviously makes your management task much harder. All this and more means that someone needs to manage these local groups.
advertisment
How do you control the membership of local groups on so many computers from a central location?
Luckily we have several options, such as built-in features of Group Policy Objects (GPOs) or startup scripts. We’ll first talk about a feature of Group Policy called Restricted Groups. Using this mechanism, GPOs lets you control the membership of domain and local groups on any computer that’s joined to the Active Directory domain.
Alternative options will be discussed in future articles, so make sure you come back to read them.
Important: Restricted Groups affect only the computer account, not the user accounts. That means that you will need to use the GPOs that are linked to the organizational units (OUs) that contain the computer accounts. If you edit the default domain GPO, it will affect all the computers in the domain. If you edit the default domain controller GPO, it will affect all the domain controllers in the domain. Use with caution.
It’s worth mentioning that Restricted Groups are not configured by default in any pre-defined GPO, and by default, no new GPO has Restricted Groups configured initially. This means that if you want to use this feature, you must manually configure it, which is a good thing, as you’ll see in my next super important note.
Warning: Before touching any existing Restricted Groups setting or before adding new Restricted Groups settings, you must fully read and understand the possible consequences of using this feature. If you fail to do so, you may find yourself in deep trouble.
How do we use Restricted Group? You can use these groups in several different ways. For example, you can add users to groups, and you can also use Restricted Groups to remove any user or group that is not on the list of allowed users or groups from groups. Finally, you can also use Restricted Groups to maintain the membership of the Domain Admins group in all the Local Administrators group.
With Restricted Groups, you can control the membership of critical groups, such as the Domain Admins, Enterprise Admins, and Schema Admins groups, for better security that ensures incorrect accounts are not added to these groups. Restricted Groups also lets you manage membership of local groups on file servers, adding global groups from the Active Directory domain to keep group membership consistent and persistent.
One nice feature of Restricted Groups is that you can manage groups that are non-existant at the time of configuration, where you can control those members. For example, you configure a group called “Future Local Group” by typing in the name and add a user called “Future User.” Because the group and user don’t exist at this point in time, it will have no effect. Once such is group is created on one of the computers that fall under the scope of that GPO, it will automatically be configured to only include “Future User” in it. If that user exists, it will be added. If not, the group will remain empty until such a user is created. Any attempt to add other members to that group will fail.
To create a Restricted Group, you need to create or edit a GPO that is linked to the OU that contains the computer objects you want to be affected by the GPO.
1. In the GPO, browse and expand “Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings”. Click on “Restricted Groups.” Right-click on “Restricted Groups” and select “Add Group”.
Adding a group to the Group Policy Management Editor. (Image Credit: Daniel Petri)
Creating Test Local Group. (Image Credit: Daniel Petri)
Adding a member to the Test Local Group. (Image Credit: Daniel Petri)
Our first user has been added to Test Local Group. (Image Credit: Daniel Petri)
Updating the group with a GPO refresh in the command prompt. (Image Credit: Daniel Petri)
Test Local Group properties. (Image Credit: Daniel Petri)
testuser1 is a member of the Test Local Group. (Image Credit: Daniel Petri)
Adding a second member to our group. (Image Credit: Daniel Petri)
Our second member in the group has been successfully added. (Image Credit: Daniel Petri)
List of members in the group. (Image Credit: Daniel Petri)
Adding testuser3 to the group. (Image Credit: Daniel Petri)
testuser3 is the only member of this group. (Image Credit: Daniel Petri)
testuser3 is successfully a member of the group. (Image Credit: Daniel Petri)
We have a clean slate for our group. (Image Credit: Daniel Petri)
There are no members in our group. (Image Credit: Daniel Petri)
Readding testuser1 to the group. (Image Credit: Daniel Petri)
More from Daniel Petri
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Active Directory
Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers
May 11, 2022 | Rabia Noureen
Best Practices for Installing Active Directory Domain Controllers in a Virtual Machine
Apr 15, 2022 | Michael Taschler
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group