<

Restricted Groups GPO. What happens in the Background?

Published on
11,029 Points
4,629 Views
4 Endorsements
Last Modified:
Approved
There are two modes of restricted groups GPOs.

1. Replacing mode




2. Additive mode



How do they work?
Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After that, the policy is evaluated and applied. This means: The accounts or groups that are specified in the GPO ("Members of this group") will be added to the local administrators group of that particular client. The local administrator always stays in the local administrators group, even if you don't specify him. The same applies to domain admins.

Additive mode: Every account that is member of the local administrators group will stay member of the group. The group defined in the policy ("Group Name") will be added to the local administrator group of this particular client that applies the GPO.

How do they work exactly?
Replacing mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window


at the position
*S-1-5-32-522__Members = ...

Open in new window

on the domain controller.

This has the following effect: When the group policy is applied, every account or group that isn't specified will be erased from the local administrators group.
When you have a multilingual setup, the local administrators group can be named differently. "Administratoren" in german, "Administradores" in spanish and so on.
Normally this isn't a problem when you click on "Check names" in the dialog box. However, when you define the policy from your client on which you installed the gpmc, and the client is for example a german one, and then you define the GPO, you'll end up with not using the well known SID. So, every time you define restricted group policies on your localized client and have a english-speaking AD, click on "check names".

When the GPO isn't applied anymore, all accounts or groups that have been a member of the local administrators group will be reverted.

Additive mode: changes the file
\\<dc>\SYSVOL\gurumeditation.local\Policies\{GPO-GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Open in new window


at the position
*S-1-5-32-522__MemberOf = ...

Open in new window

on the domain controller.

As described above, no accounts or groups are being deleted, so therefore nothing changes for pre-existing members of the local administrators group.

When to use what?
Personally, I choose the replacing mode when I want to "clean up" local administrator groups on clients that have not been cleaned out in a long time and user accounts of employees are member that are not even in the comany anymore.

Be aware of the effect of the replacing mode! When you have servers that have manually added service accounts (e.g. for monitoring reasons) you could end up wrecking the monitoring solution until you re-add them. In this case it is very handy that the members of the local administrators group are being restored automatically when the GPO isn't applied anymore.

Cheers!
4
Author:fr0nk
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free