[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

Can someone explain the purpose of the restricted groups policy?


I have read a few resources from Microsoft and some other websites about the restricted groups policy, but i still not understand what the purpose of this policy is.

When is the usage of this policy recommended, and how does it work?

The one who can explain me the restricted groups policy in a way that i completely understand it, will get 500 Points

1 Solution
David LeeCommented:
Hi readyyy,

The purpose of a Restricted Groups policy is to ensure that only certain accounts can be a member of a specified group.  Say for example that you have groups for each division in your company and you want to enforce a policy where only marketing staff can be a member of the marketing group.  You create a restricted group policy and add the names of the staff in marketing to that policy, then activate the policy.  If you now try to add someone from sales to the marketing group, the policy will kick them out, thereby enforcing the rule that only those staff designated as marekting staff in the restricted group policy can belong to the marketing group.  You're probably thinking, "what's the point, I just won't add a sales person to the marketing group".  That will probably work fine so long as you are the only person who can add staff to a group.  But, if that's been delegated out, or if you are one administrator among many, then setting this restriction can help ensure that staff only belong to those groups that they should belong to.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It's actually quite simple... for example, you want to create a Client Accessable Extranet with Sharepoint.  ("Client" in this case referring to customers who are NOT entitled to have full access to your domain, but will need user login credentials to access the Sharepoint site).  

Take a look at this document, which explains how to set up a Restricted Group for precisely this purpose... I think it is a great example of why you'd want to create a Restricted Group Policy: http://www.microsoft.com/downloads/details.aspx?familyid=b51dcb25-0c63-4561-b981-9a3c860b9f15&displaylang=en

The details are on Page 19, Step 6.

Jeff @
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
To expound on the above.  The restricted groups are just that.  You restrict membership to a certain group.  I don't see it used so much as to make sure a sales person say, doesn't get put in the marketing group, but rather to make sure that you don't have a compromise to your system security.


You or another administrator step away from your computer for a few minutes or you get hacked from inside or outside.  The culpret makes himself an administrator or creates another account and makes it an administrator.  

Without restrictions, this person would have unauthorized access and could cause real damage with the real possibilty that no one would know.

With making your Enterprise, Domain and Schema admins part of the restricted groups, you specify who can be part of those groups.  Sooooooo, if you step away, etc., and someone jumps in and adds themselves to the Domain Admin's group or creates a new account, their time is limited to only as long as it takes for AD to update group policy.  Once updated, it will see that the new or modified account is not supposed to be in the particular group and will drop it back out.  


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now