Windows optimize

Assigning group membership to built-in groups with Group Policy

Assigning a group to the local Administrators, Power Users, or Remote Desktop Users group of computer accounts is made easy with Group Policy. Rick Vanover shows how to set this via a GPO.

When it comes to assigning a group to the local Administrators, Power Users, or Remote Desktop Users group of computer accounts, Group Policy is the way to do it. But, be careful how you do this throughout the Active Directory forest. You can quickly find yourself with overlapping or conflicting entries and then accidentally may be forced to over-permission.

The good news is that if you get your head around the Restricted Groups object in Group Policy, this can be done quite easily. First of all, make sure you apply the Restricted Groups permissions for each of the Organizational Units that contain computer accounts; and, don’t plan on much inheritance of these configurations.

The Restricted Groups setting is located in Group Policy Computer Configuration at Policies | Windows Settings | Security Settings | Restricted Groups. This area of Group Policy and a sample configuration is shown in Figure A below: Figure A

Click to enlarge.

In this example, the RWVDEV\GRPO-UserAccounts group is automatically made a member of the Power Users account of computer accounts in the Organizational Unit to which this GPO is assigned and below.

The best practice here is to assign Administrators to the Domain Admins group as well as possibly an application-level administrator for computer accounts that would be contained in this Organizational Unit (only for that application). The same goes for Power Users and Remote Desktop Users, so if someone isn’t a member of a group that is an administrator in this space, maybe they would be a “Power User” and then remote desktop access would accompany that role.

This configuration, by default, will apply to other computer account Organizational Units below the current one, so be mindful of inheritance of this GPO in Active Directory.

How do you use the Restricted Groups GPO object to assign permissions in Active Directory? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

1 comments
Richaz
Richaz

I have used restriected groups with great success and it is quite useful. The main one I use is adding desktop service groups to have access to all desktops for support. Often you will not find it implemented because there is a lot of misunderstanding about the "members of this group" and "group is a member of options." Recently have switched over to preferences for groups for doing group modifications. Allowed us to enforce group membership and flexibility to the desktop support to apply admin and\or remote desktop group memberships per desktop and not broadly applying permissions for a user to a desktop.