70-410 Objective 5.3 – Using Restricted Groups via GPO on Windows Server 2012 R2
We will review using Restricted Groups via Group Policy Object for the Object 5.3 Creating and Managing Groups for the 70-410 Exam. Restricted Groups is a security configuration under the computer object of Group Policy. It allows for the policing of Groups on a remote machines. This is can be extremely important so that users do not obtain administrative access by getting added to the Administrators Group. There are two modes it works in; the first mode is what I call an absolute mode or “Members of this group”. Whatever is set for membership is absolute, meaning any security principles not explicitly set for the remote computers local group will be removed. This is the primary way to policy computers so that administrative access is not given by mistake or unintentionally by another admin. The second is additive or “This group is a member of”, meaning the group that is specified will be added to the local group on the remote computer. This method is used when we want to make sure that a user is added to a remote local computer group.
We start by creating a Group Policy Object and linking it to the Organizational Unit containing the computer to be policed. We then edit the GPO created and drill down to the settings for restricted group which can be found under: Computer Configuration – Policies – Windows Settings – Security Settings – Restricted Groups. We then add a group to Restricted Groups matching the name of the local group on the remote computer. We edit the section of “Members of this group”, this evicts anyone that is not explicitly add in GPO. We then switch over to the remote computer and run a gpupdate /force so that the changes are immediate. Then we inspect the local computer group for the changes applied from GPO. I follow this up with an explanation of what has happened. Next we examine how we can add an Active Directory group to a remote machines local group via Restricted Groups. This time we specify the Active Directory group that we want to set “This group is a member of” Restricted Group setting. This will nest the AD Group under the remote machines local group, it will not modify Active Directory.
Introduction – 0:10
Lab overview of the Active Directory domain – 0:23
Inspection of the target computer for GPO – 0:30
Creation of the Group Policy Object for Restricted Groups – 1:20
Editing of the GPO created – 2:03
Adding a Group to Restricted Groups – 2:28
Inspecting the remote servers after Restricted Group is applied – 3:10
Explanation of what has happened – 3:50
Adding a group to a remote computer’s local group – 5:17
Inspecting what has been applied – 6:42
Explanation of how the setting works – 7:08