Restricted Groups GPO. What happens in the Background?

Published:
There are two modes of restricted groups GPOs.

1. Replacing mode




2. Additive mode



How do they work?
Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After that, the policy is evaluated and applied. This means: The accounts or groups that are specified in the GPO ("Members of this group") will be added to the local administrators group of that particular client. The local administrator always stays in the local administrators group, even if you don't specify him. The same applies to domain admins.

Additive mode: Every account that is member of the local administrators group will stay member of the group. The group defined in the policy ("Group Name") will be added to the local administrator group of this particular client that applies the GPO.

How do they work exactly?
Replacing mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window


at the position
*S-1-5-32-522__Members = ...

Open in new window

on the domain controller.

This has the following effect: When the group policy is applied, every account or group that isn't specified will be erased from the local administrators group.
When you have a multilingual setup, the local administrators group can be named differently. "Administratoren" in german, "Administradores" in spanish and so on.
Normally this isn't a problem when you click on "Check names" in the dialog box. However, when you define the policy from your client on which you installed the gpmc, and the client is for example a german one, and then you define the GPO, you'll end up with not using the well known SID. So, every time you define restricted group policies on your localized client and have a english-speaking AD, click on "check names".

When the GPO isn't applied anymore, all accounts or groups that have been a member of the local administrators group will be reverted.

Additive mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window


at the position
*S-1-5-32-522__MemberOf = ...

Open in new window

on the domain controller.

As described above, no accounts or groups are being deleted, so therefore nothing changes for pre-existing members of the local administrators group.

When to use what?
Personally, I choose the replacing mode when I want to "clean up" local administrator groups on clients that have not been cleaned out in a long time and user accounts of employees are member that are not even in the comany anymore.

Be aware of the effect of the replacing mode! When you have servers that have manually added service accounts (e.g. for monitoring reasons) you could end up wrecking the monitoring solution until you re-add them. In this case it is very handy that the members of the local administrators group are being restored automatically when the GPO isn't applied anymore.

Cheers!
4
4,812 Views

Comments (3)

Commented:
How do you choose which policy you want to add?
Premkumar YogeswaranSr. Analyst - System Administrator
CERTIFIED EXPERT

Commented:
I haven't seen a concept of "additive restricted group"..

Could you share a link for that?
CERTIFIED EXPERT
Author of the Year 2010
Top Expert 2010

Commented:
Premglitz,

It's a fairly basic concept.  You either replace or update.

When you look at the properties if the restricted group you either specify the members of the group you enter or specify the group is a member of.

The members of the group option specify the members of the group, anything not listed will be removed.

Specifying the group listed is a member of "another group" will add the group to a group that already exists without modifying the contents of the group.

Which bit are you not clear with?

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community