Using Group Policy to Assign Group Membership

Whether your Active Directory (AD) infrastructure is large or small, you can benefit from utilizing Group Policy Objects to ensure the right users and administrators have access to the right systems. All AD structures are created different for different reasons, so as a generalization I’ll attempt to give you my take on applying these policies that should work for most organizations.

There are a number of pieces to this puzzle that will only be applicable to your environment and how you manage it. There are two paths to assigning user rights within a GPO, a restricted group or control panel settings. Both have different capabilities so let me explain them. A restricted group will only allow those that you assign to have access to that group. You won’t be able to add anyone to the group locally. This should be used as a definitive option to ensure only certain users or groups have access. The second option, control panel settings provides you multiple options to local group assignment. It will still allow for someone to add a user or group to the local group, you can also have this option wipe the group during group policy pollings and reset back to GPO defined memberships and it will also allow you to implement item-level targeting. These features I’ll explain in detail below.

Group Policies flow from the bottom up, meaning the closer your policy is to the object it’s more likely to be applied. This is called Group Policy Inheritance, this is the order in which your policies get applied to your structure. This is important concept to understand because each OU has it’s own inheritance order. For example, if we apply a restricted group in a GPO near the top of the structure and nothing breaks inheritance or sets a new precidence then that setting will persist. This will cause problems if you attempt to use another method to set local group memberships. For this reason I suggest using restrictred groups sparingly and in special, localized situations.

This example shows you how to add groups via Local Users and Groups.

Find “Local Users and Groups” in your GPO.

Right-click, select New and then “Local Group”.

You can see what groups are being modified in this window. You see Administrators is in there.

Select “Administrators (Build-in)” from the drop down, click add and enter the user/group you wish to add.

Finally, select where in the OU you wish to link the GPO.

This example shows you how to set group via Restricted Groups.

Find “Restricted Groups” in your GPO and “Add Group”.

Select the local system, then select the administrators group.

Next, add groups you wish to be in the local administrators group.

Finally, select where in the OU you wish to link the GPO.

I hope this helps you on your path to standardizing your local group memberships.  There is much more that can be done with these settings, especially the Local Users and Groups.  This should get you started with a basic understanding of how you can assign users or groups to local groups.

If you’d like to know more please let me know!