Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups:
The "Members" list defines who should and should not belong to the restricted group. The "Member Of" list specifies which other groups the restricted group should belong to.
Using the "Members" Restricted Group Portion of Policy
When a Restricted Group policy is enforced, any current member of a restricted group that is not on the "Members" list is removed with the exception of administrator in the Administrators group. Any user on the "Members" list which is not currently a member of the restricted group is added.
Using the "Member Of" Restricted Group Portion of Policy
Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted Group is not removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
https://www.google.com.hk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCQQFjAB&url=http%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2F20402.active-directory-group-policy-restricted-groups.aspx&ei=lpqBVcLYCsyF8gXtgr6oDw&usg=AFQjCNHyPUtZcMS9YF25gLJeRZSuQdNvCg&sig2=-DcKcsUXLdKU4QuIoOp8vA
https://support.microsoft.com/en-us/kb/279301
Active Directory Group Policy Restricted Groups
The management of local
groups on Workstations and servers in an organization can be done centrally by
Group Policies. One of the ways to do that is to use Group Policy Restricted Groups.
Below is a table that summarizes the membership that could be updated using Group Policy Restricted Groups:
| Local Group | Domain Group |
| Using of 「Members」 |
- Local Users
- Domain Users
- Domain Groups
|
Not applicable
|
| Using 「Member Of」 |
Not Applicable (*)
|
|
(*) Local Groups Nesting is not supported (
http://technet.microsoft.com/en-us/library/ee681621(v=ws.10).aspx 
)
Creation of a new Restricted Groups Group Policy:
To create a new Restricted Groups Group Policy, proceed like the following:
- Create a new Group Policy, go to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups and then select Add Group… after doing a right click on Restricted Groups
- Specify the name of the group to update its membership and then click on OK
- If you would like to add members to the group then click Add … for Members of this group
- If you would like to add the group as member of a local group then click on Add… for This group is member of
IMPORTANT: You should refer to the table that summarizes the membership that could be updated using Group Policy Restricted Groups before applying the new group policy.
Expected behavior when using a Restricted Groups Group Policy:
When using a Restricted Groups Group Policy, the following behavior is expected:
Type of update
|
Behavior
|
Update of 「Members」
| Any current member of the group that is not on the 「Members」 list will be removed (Local administrator user cannot be removed from Administrators group even if it is not in the 「Members」 list). All users / domain groups that are in the 「Members」 list and are not members of the group will be added as members. |
Update of 「Member of」
| The membership is added if it does not exist |
Microsoft support for Group Policy Restricted Groups:
Description of Group Policy Restricted Groups:
http://support.microsoft.com/kb/279301
Tips:
Tip 1: It happens that, for operational tasks, a user needs to be added as member of a local group to perform an action and then removed later. If a Restricted Groups Group Policy is used for the local group members then the user can be added as member of the group and automatically removed after the re-appliance of the group policy.
Tip 2: To add new domain members to a local group using Group Policy Restricted Groups without removing the current members, you can proceed like the following:
- Create a domain group and add the domain users / groups as member of it
- Use 「Member of」 feature to add the new domain group as member of the needed local group
沒有留言:
發佈留言