Restricted Groups GPO. What happens in the Background?

Published on
10,886 Points
4 Endorsements
Last Modified:
There are two modes of restricted groups GPOs.

1. Replacing mode

2. Additive mode

How do they work?
Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After that, the policy is evaluated and applied. This means: The accounts or groups that are specified in the GPO ("Members of this group") will be added to the local administrators group of that particular client. The local administrator always stays in the local administrators group, even if you don't specify him. The same applies to domain admins.

Additive mode: Every account that is member of the local administrators group will stay member of the group. The group defined in the policy ("Group Name") will be added to the local administrator group of this particular client that applies the GPO.

How do they work exactly?
Replacing mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window

at the position
*S-1-5-32-522__Members = ...

Open in new window

on the domain controller.

This has the following effect: When the group policy is applied, every account or group that isn't specified will be erased from the local administrators group.
When you have a multilingual setup, the local administrators group can be named differently. "Administratoren" in german, "Administradores" in spanish and so on.
Normally this isn't a problem when you click on "Check names" in the dialog box. However, when you define the policy from your client on which you installed the gpmc, and the client is for example a german one, and then you define the GPO, you'll end up with not using the well known SID. So, every time you define restricted group policies on your localized client and have a english-speaking AD, click on "check names".

When the GPO isn't applied anymore, all accounts or groups that have been a member of the local administrators group will be reverted.

Additive mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window

at the position
*S-1-5-32-522__MemberOf = ...

Open in new window

on the domain controller.

As described above, no accounts or groups are being deleted, so therefore nothing changes for pre-existing members of the local administrators group.

When to use what?
Personally, I choose the replacing mode when I want to "clean up" local administrator groups on clients that have not been cleaned out in a long time and user accounts of employees are member that are not even in the comany anymore.

Be aware of the effect of the replacing mode! When you have servers that have manually added service accounts (e.g. for monitoring reasons) you could end up wrecking the monitoring solution until you re-add them. In this case it is very handy that the members of the local administrators group are being restored automatically when the GPO isn't applied anymore.


Expert Comment

How do you choose which policy you want to add?
LVL 17

Expert Comment

by:Premkumar Yogeswaran
I haven't seen a concept of "additive restricted group"..

Could you share a link for that?
LVL 74

Expert Comment

by:Glen Knight

It's a fairly basic concept.  You either replace or update.

When you look at the properties if the restricted group you either specify the members of the group you enter or specify the group is a member of.

The members of the group option specify the members of the group, anything not listed will be removed.

Specifying the group listed is a member of "another group" will add the group to a group that already exists without modifying the contents of the group.

Which bit are you not clear with?

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Join & Write a Comment

There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month