Restricted Groups for Windows Server

You can use a relatively unknown GPO in Windows Server known as Restricted Groups. It’s been around since Windows Server 2000 and is also included in Windows Server 2008, although I don’t see any changes in WS2008.

According to Microsoft:
Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups:

  • Members
  • Member Of

The “Members” list defines who should and should not belong to the restricted group. The “Member Of” list specifies which other groups the restricted group should belong to.

Using the “Members” Restricted Group Portion of Policy
When a Restricted Group policy is enforced, any current member of a restricted group that is not on the “Members” list is removed with the exception of administrator in the Administrators group. Any user on the “Members” list which is not currently a member of the restricted group is added.

Using the “Member Of” Restricted Group Portion of Policy
Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted Group is not removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.

After playing around with this in a test lab I figured out what the two options allow you to do, which Microsoft seem to have a hard time in explaining from their doco and website. Essentially the Restricted Groups option provides a way of keeping out unwanted members of a global group in AD that you specify and it’s other function is to allow a non admin domain account or groups to become local administrators of client computers or servers.

One site that really explains this well with screen shots is:
Florian’s Blog at