[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Restricted Groups GPO. What happens in the Background?

Published on
10,916 Points
4 Endorsements
Last Modified:
There are two modes of restricted groups GPOs.

1. Replacing mode

2. Additive mode

How do they work?
Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After that, the policy is evaluated and applied. This means: The accounts or groups that are specified in the GPO ("Members of this group") will be added to the local administrators group of that particular client. The local administrator always stays in the local administrators group, even if you don't specify him. The same applies to domain admins.

Additive mode: Every account that is member of the local administrators group will stay member of the group. The group defined in the policy ("Group Name") will be added to the local administrator group of this particular client that applies the GPO.

How do they work exactly?
Replacing mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window

at the position
*S-1-5-32-522__Members = ...

Open in new window

on the domain controller.

This has the following effect: When the group policy is applied, every account or group that isn't specified will be erased from the local administrators group.
When you have a multilingual setup, the local administrators group can be named differently. "Administratoren" in german, "Administradores" in spanish and so on.
Normally this isn't a problem when you click on "Check names" in the dialog box. However, when you define the policy from your client on which you installed the gpmc, and the client is for example a german one, and then you define the GPO, you'll end up with not using the well known SID. So, every time you define restricted group policies on your localized client and have a english-speaking AD, click on "check names".

When the GPO isn't applied anymore, all accounts or groups that have been a member of the local administrators group will be reverted.

Additive mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window

at the position
*S-1-5-32-522__MemberOf = ...

Open in new window

on the domain controller.

As described above, no accounts or groups are being deleted, so therefore nothing changes for pre-existing members of the local administrators group.

When to use what?
Personally, I choose the replacing mode when I want to "clean up" local administrator groups on clients that have not been cleaned out in a long time and user accounts of employees are member that are not even in the comany anymore.

Be aware of the effect of the replacing mode! When you have servers that have manually added service accounts (e.g. for monitoring reasons) you could end up wrecking the monitoring solution until you re-add them. In this case it is very handy that the members of the local administrators group are being restored automatically when the GPO isn't applied anymore.


Expert Comment

How do you choose which policy you want to add?
LVL 17

Expert Comment

by:Premkumar Yogeswaran
I haven't seen a concept of "additive restricted group"..

Could you share a link for that?
LVL 74

Expert Comment

by:Glen Knight

It's a fairly basic concept.  You either replace or update.

When you look at the properties if the restricted group you either specify the members of the group you enter or specify the group is a member of.

The members of the group option specify the members of the group, anything not listed will be removed.

Specifying the group listed is a member of "another group" will add the group to a group that already exists without modifying the contents of the group.

Which bit are you not clear with?

Featured Post

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month