Can someone explain the purpose of the restricted groups policy?

Posted on 2005-04-11
Last Modified: 2008-01-09

I have read a few resources from Microsoft and some other websites about the restricted groups policy, but i still not understand what the purpose of this policy is.

When is the usage of this policy recommended, and how does it work?

The one who can explain me the restricted groups policy in a way that i completely understand it, will get 500 Points

Question by:readyyy
    LVL 76

    Accepted Solution

    Hi readyyy,

    The purpose of a Restricted Groups policy is to ensure that only certain accounts can be a member of a specified group.  Say for example that you have groups for each division in your company and you want to enforce a policy where only marketing staff can be a member of the marketing group.  You create a restricted group policy and add the names of the staff in marketing to that policy, then activate the policy.  If you now try to add someone from sales to the marketing group, the policy will kick them out, thereby enforcing the rule that only those staff designated as marekting staff in the restricted group policy can belong to the marketing group.  You're probably thinking, "what's the point, I just won't add a sales person to the marketing group".  That will probably work fine so long as you are the only person who can add staff to a group.  But, if that's been delegated out, or if you are one administrator among many, then setting this restriction can help ensure that staff only belong to those groups that they should belong to.

    LVL 74

    Expert Comment

    by:Jeffrey Kane - TechSoEasy
    It's actually quite simple... for example, you want to create a Client Accessable Extranet with Sharepoint.  ("Client" in this case referring to customers who are NOT entitled to have full access to your domain, but will need user login credentials to access the Sharepoint site).  

    Take a look at this document, which explains how to set up a Restricted Group for precisely this purpose... I think it is a great example of why you'd want to create a Restricted Group Policy:

    The details are on Page 19, Step 6.

    Jeff @
    LVL 16

    Expert Comment

    To expound on the above.  The restricted groups are just that.  You restrict membership to a certain group.  I don't see it used so much as to make sure a sales person say, doesn't get put in the marketing group, but rather to make sure that you don't have a compromise to your system security.


    You or another administrator step away from your computer for a few minutes or you get hacked from inside or outside.  The culpret makes himself an administrator or creates another account and makes it an administrator.  

    Without restrictions, this person would have unauthorized access and could cause real damage with the real possibilty that no one would know.

    With making your Enterprise, Domain and Schema admins part of the restricted groups, you specify who can be part of those groups.  Sooooooo, if you step away, etc., and someone jumps in and adds themselves to the Domain Admin's group or creates a new account, their time is limited to only as long as it takes for AD to update group policy.  Once updated, it will see that the new or modified account is not supposed to be in the particular group and will drop it back out.  


    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server…
    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now