Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET!
Active Directory

Using "This group is a member of" controls to manage local AD groups

If you recall from the first installment in my managing Active Directory Local Group article series, using the first setting (“Members of this group”) option in GPO’s Restricted Groups settings controls the membership of a specified group. Although it’s very useful in setting the exact members of any given group, this means that whatever members are configured in that group, this is exactly what you will see when you look at the group’s members. This type of strict control may not be always useful, because you must always explicitly specify group members.

Managing Local Active Directory Groups Article Series

About “This group is a member of” Group Policy controls

The second setting option called “This group is a member of” controls which groups the specified group will become a member of, and it allows more flexibility because of the way it works. With this option, you can control which other groups the specified group will be added to.

Note: When you use this method, you must adhere to the known group nesting rules.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Important: Because this option adds only groups to other groups, you cannot use it to add individual users to groups. If you want to add one user to one or more groups, then you need to create a group, add the user to the group, and then specify it in the Restricted Groups setting. If that group is empty, it will still be added to the target group. Because of standard group processing, once a user is added to it in the future, the user will receive relevant group membership after logging on.

Important: If you configure this setting and leave the “This group is a member of” list blank, the setting will not remove the specified group from any existing groups. This allows you more flexibility in your configuration.

How to use “This group is a member of” Group Policy controls

1. To configure this option, create a new Restricted Group. If you need instructions on how to do this, then please refer to the first article in this series.

Note: Don’t forget that you need to use a GPO that is linked to the OU, which contains the computer objects that you want to be affected by the GPO.

Adding a group in the Group Policy Management Editor. (Image Credit: Daniel Petri)
Adding a group in the Group Policy Management Editor. (Image Credit: Daniel Petri)

2. Next, double-click the group name that you created under Restricted Group node, then click on the “Add” button for the “Members of this group” on the lower part of the window. In this example, we’re adding the sample group called “Add to Test Local Group” located in AD to a local group called “Test Local Group”.

Adding a sample group to a local group. (Image Credit: Daniel Petri)
Adding a sample group to a local group. (Image Credit: Daniel Petri)

3. After the GPO refresh cycle, you will see that the group was added to the local group on the member server.

The group was successfully added to the local group on the member server. (Image Credit: Daniel Petri)
The group was successfully added to the local group on the member server. (Image Credit: Daniel Petri)

4. As noted, this method allows you to keep users that are already members of the target group, while also being able to add other groups to it as members. As a result, it’s much more flexible and gives you a group membership management option that’s centrally controlled. The drawback is that you can only add groups to other groups and not individual users.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (1)

One response to “Using “This group is a member of” controls to manage local AD groups”

  1. hcpssme

    Important: If you configure this setting and leave the “This group is a member of” list blank, the setting will not remove the specified group from any existing groups. This allows you more flexibility in your configuration. webcrims


Leave a Reply

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By