Restricted Groups allows the administrator to configure local groups on client computer. For example, you could add a helpdesk support group to all clients on your desktop. This video looks at how to configure local groups on your client computer using Group Policy rather than visiting each computer to make the changes.
A Common ProblemMany companies want to give technicians administrator access to the clients they are supporting. The easiest way to do this is to add the technicians to the Domain Admins group, however this would give the technicians more access than they require. The best way to grant the technicians access to the client computers is to add the group to the local administrator group on the client computer. This way the technicians has only the access they required. This can be achieved manually or using scripts, however in a large environment you will want to use Group Policy to manage local groups as once setup, new computers are configured automatically.
Demonstration
To configure Restricted groups, go to the following settings, right click it an select add group. Computer Configuration\Polices\Windows Settings\Security Settings\Restricted Groups. There is two different procedures depending if you want to reset all the local group membership or if you want to add users or groups to what is already configured in the group.
Resetting local group members
Right click on Restricted groups and select the option add group. In this case enter in the local group that you want to reset. For example, administrators.
In the next dialog, the top section says Members of this groups. Add whichever groups or users that you want to be a member of group. If you are resetting groups like the Administrators group, these groups may have members like Domain Admins, make sure you add these groups back in if you want to keep them.
Note: The local administrator account will always be present, you cannot remove it.
Adding to a local group
Right click on Restricted groups and select the option add group. When asked to add a group when in the group that you want to add to local group. For example, ITFreeTraining\Helpdesk Administrators.
In the next dialog, add the local group to the bottom part titled “This group is a member of”. For example, to change the local administrators group add Administrators in the bottom part.
References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition” pg 319-324
Credits
