Using "This group is a member of" controls to manage local AD groups
If you recall from the first installment in my managing Active Directory Local Group article series, using the first setting (“Members of this group”) option in GPO’s Restricted Groups settings controls the membership of a specified group. Although it’s very useful in setting the exact members of any given group, this means that whatever members are configured in that group, this is exactly what you will see when you look at the group’s members. This type of strict control may not be always useful, because you must always explicitly specify group members.
Managing Local Active Directory Groups Article Series
- Part 1: Manage Local Active Directory Groups using Group Policy Restricted Groups
- Part 2: Using “This group is a member of” controls to manage local AD groups
- Part 3: Manage Local Active Directory Groups using Group Policy Preferences
- Part 4: Using Startup Scripts to Manage Local Active Directory Groups
About “This group is a member of” Group Policy controls
The second setting option called “This group is a member of” controls which groups the specified group will become a member of, and it allows more flexibility because of the way it works. With this option, you can control which other groups the specified group will be added to.
Note: When you use this method, you must adhere to the known group nesting rules.
Important: Because this option adds only groups to other groups, you cannot use it to add individual users to groups. If you want to add one user to one or more groups, then you need to create a group, add the user to the group, and then specify it in the Restricted Groups setting. If that group is empty, it will still be added to the target group. Because of standard group processing, once a user is added to it in the future, the user will receive relevant group membership after logging on.
Important: If you configure this setting and leave the “This group is a member of” list blank, the setting will not remove the specified group from any existing groups. This allows you more flexibility in your configuration.
How to use “This group is a member of” Group Policy controls
1. To configure this option, create a new Restricted Group. If you need instructions on how to do this, then please refer to the first article in this series.
Note: Don’t forget that you need to use a GPO that is linked to the OU, which contains the computer objects that you want to be affected by the GPO.
2. Next, double-click the group name that you created under Restricted Group node, then click on the “Add” button for the “Members of this group” on the lower part of the window. In this example, we’re adding the sample group called “Add to Test Local Group” located in AD to a local group called “Test Local Group”.
3. After the GPO refresh cycle, you will see that the group was added to the local group on the member server.
4. As noted, this method allows you to keep users that are already members of the target group, while also being able to add other groups to it as members. As a result, it’s much more flexible and gives you a group membership management option that’s centrally controlled. The drawback is that you can only add groups to other groups and not individual users.