What are Restricted Groups in ADS.?

Posted on 2007-10-15
Last Modified: 2008-05-31

What are Restricted Groups in ADS.?.Where all can they be used.Some examples.
No links please...
Question by:bsharath
    LVL 70

    Assisted Solution

    restricted groups are groups which the membership of is restricted to specified users. You can specify that a restricted group contains anothjer group of users for example. If you do then that it becomes a member of that group and cannot be removed.

    This is explained (much better than I can) at
    LVL 58

    Accepted Solution

    Restricted groups allow you to set one GPO which allows you, to some extent, to maintain the local groups of PCs via GPO. For example, if your users are renowned for removing the Domain Admins group from their machine's local Administrators group (which obviously means a domain admin can't remote in to the machine, loses their permissions as a local admin) then you could set with restricted groups that the Domain Admins group is always a member of the Administrators group. This prevents users from removing it, or if they do manage to remove it the GPO will be reevaluated quickly and the group would be added back in.

    Hope this helps

    LVL 11

    Author Comment

    Tigermatt is this option only for this purpose or is there any other purpose we can use the restricted groups for.
    LVL 58

    Expert Comment

    You can use it for any purpose where you need to control the local groups on a domain machine. It could be used in many other scenarios too, another example I can think of is if you have a custom group which needs to be a member of the Power Users group on some servers. Since its GPO, you can use filtering and link them with OUs to control which machines should get the settings and which ones don't.

    The purpose I specified is just one common example of its use.
    LVL 11

    Author Comment


    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now