Wednesday, March 30, 2011

Restrict the members of local administrator group by Group Policy

In Windows Server 2008 or above environment, there are 2 method to control the members of users group by Group Policy Restricted Group and Group Policy Preference.

Both settings in a Group Policy could remove unauthorized members from a security group.

Using Group Policy restricted groups
1. At Domain Controller log in as Domain Administrator.
2. Click "Start", enter "gpmc.msc".
3. Expand "Forest > Domains > <Domain Name>", right-click "Default Domain Policy", select "Edit".

Remark: At production environment, you should use another group policy to assign restricted groups setting.

4. Expand "Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups".
5. Right-click "Restricted Groups", select "Add Group".
6. Under "Group", type "Administrators".

Figure 1: Local administrator group

7. Click "OK".
8. Next to "Member of this group", click "Add".
9. Enter the name who you want to add.

Figure 2: The members of the local administrator group

Remark: The local administrator doesn't affect by Restricted Group.

10. Click "OK".
11. Close "Group Policy Management Editor".

Updating the policy, the local administrator group of all computers are applied restricted group setting.

Figure 3: The local administrator group of the computer

Remark: If you add "Administrators" group in "Restricted Group", you get the Event ID 1202 of Application event log and then the group members cannot be applied to the local administrators group.


This posting is provided “AS IS” with no warranties, and confers no rights!

No comments:

Post a Comment