Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Active Directory

Using "This group is a member of" controls to manage local AD groups

If you recall from the first installment in my managing Active Directory Local Group article series, using the first setting (“Members of this group”) option in GPO’s Restricted Groups settings controls the membership of a specified group. Although it’s very useful in setting the exact members of any given group, this means that whatever members are configured in that group, this is exactly what you will see when you look at the group’s members. This type of strict control may not be always useful, because you must always explicitly specify group members.

Managing Local Active Directory Groups Article Series

About “This group is a member of” Group Policy controls

The second setting option called “This group is a member of” controls which groups the specified group will become a member of, and it allows more flexibility because of the way it works. With this option, you can control which other groups the specified group will be added to.

Note: When you use this method, you must adhere to the known group nesting rules.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Important: Because this option adds only groups to other groups, you cannot use it to add individual users to groups. If you want to add one user to one or more groups, then you need to create a group, add the user to the group, and then specify it in the Restricted Groups setting. If that group is empty, it will still be added to the target group. Because of standard group processing, once a user is added to it in the future, the user will receive relevant group membership after logging on.

Important: If you configure this setting and leave the “This group is a member of” list blank, the setting will not remove the specified group from any existing groups. This allows you more flexibility in your configuration.

How to use “This group is a member of” Group Policy controls

1. To configure this option, create a new Restricted Group. If you need instructions on how to do this, then please refer to the first article in this series.

Note: Don’t forget that you need to use a GPO that is linked to the OU, which contains the computer objects that you want to be affected by the GPO.

Adding a group in the Group Policy Management Editor. (Image Credit: Daniel Petri)
Adding a group in the Group Policy Management Editor. (Image Credit: Daniel Petri)

2. Next, double-click the group name that you created under Restricted Group node, then click on the “Add” button for the “Members of this group” on the lower part of the window. In this example, we’re adding the sample group called “Add to Test Local Group” located in AD to a local group called “Test Local Group”.

Adding a sample group to a local group. (Image Credit: Daniel Petri)
Adding a sample group to a local group. (Image Credit: Daniel Petri)

3. After the GPO refresh cycle, you will see that the group was added to the local group on the member server.

The group was successfully added to the local group on the member server. (Image Credit: Daniel Petri)
The group was successfully added to the local group on the member server. (Image Credit: Daniel Petri)

4. As noted, this method allows you to keep users that are already members of the target group, while also being able to add other groups to it as members. As a result, it’s much more flexible and gives you a group membership management option that’s centrally controlled. The drawback is that you can only add groups to other groups and not individual users.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (1)

One response to “Using “This group is a member of” controls to manage local AD groups”

Leave a Reply

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: