I was recently asked whether it is possible to add users to groups using the Restricted Groups feature of Group Policy using the Member Of feature. Now, unlike Darren Mar-Elia (http://www.gpoguy.com/), I am no Group Policy guru, so I was forced to visit my test lab to obtain the answer. What I found surprised me. It is in fact possible to do this – and not in the way you might expect.
What nearly everyone knows about Restricted Groups.
The main way in which people use Restricted Groups is to enforce membership of a given group. It’s an all or nothing setting that will throw out existing members of the group and replace them with whatever you have in the restricted group (with the exception of built-in accounts). Here’s an example.
The main limitation with this method is that, when used for setting membership of local groups on member servers and workstations, it does not allow you to easily make exceptions. For example, you might want to set the membership of the Administrators local group on all member servers, but for only the Exchange servers you need to also need to include the Nasty3rdPartyApp group. To do this you would either have to:
- Put the Exchange servers in a new OU and link a GPO with a Restricted Group setting that includes the Nasty3rdPartyApp group.
- Keep the Exchange servers in the same OU and use security filtering to force the Exchange servers to receive a different Restricted Group setting from a new GPO.
- Stop using Restricted Groups and set the group membership for different server types using a startup script.
What not so many people know about Restricted Groups
If you want a group to contain a specific group as a member, but are not concerned about controlling the overall membership of the group then you can use the Member Of feature of Restricted Groups. This is useful, for example, if you have a Global security group called ServerAdmins and you want it to be a member of the local Administrators group on all member servers.
What very few people know about Restricted Groups
When using the Member Of feature, everything about it suggests that you can only use it to add groups as members of other groups (the giveaway here is the Add Group dialog!).
But what if you want to force the inclusion of a user account as a member of a group using Restricted Groups? No possible? Well, actually it is. Here's how to do it.
In the Add Group dialog, type the name of the user account and click OK. Add name of the group to which you want to add the user as member in the box labelled This group is a member of. The screenshots below show two examples, one with a domain user account (COLOURS\bobj) being made a member of the Domain Admins group, and the second with a local user account (athurm) being made a member of the Administrators local group.
So what’s the catch?
The problem is that you can only use this method to make local user accounts members of local groups or domain accounts members of domain groups. You can’t (well, I couldn’t) use this method to add a domain account to a local group. I’m not sure whether this undocumented capability with regard to user accounts was envisaged by Microsoft or not, but it might help you if you like using Restricted Groups to manage group memberships.
Tony
http://www.activedir.org/
Sign up for the Active Directory Discussions mailing list (http://www.activedir.org/List.aspx)!