How to configure Restricted Groups using Group Policy

What is the Restricted Groups policy?

Restricted Groups is a security setting in Group Policy that allows administrators to enforce a predefined membership for local groups on domain-joined computers.

When this policy is applied, Windows compares the current membership of the specified local group with the list defined in the policy. Any accounts not included in the defined membership are removed, and any missing accounts are added.

This action makes Restricted Groups different from most Group Policy settings. Instead of modifying configuration incrementally, it enforces a fixed state, ensuring that group membership does not drift over time due to manual changes.

Why use Restricted Groups?

Local group membership, especially for privileged groups such as Administrators, tends to expand over time. Temporary access granted for troubleshooting or maintenance often remains indefinitely, increasing security risk.

Restricted Groups solves this by:

• Enforcing a consistent membership across all machines
• Removing unauthorized or stale accounts automatically
• Preventing privilege creep in sensitive groups
• Standardizing administrative access across environments

This is commonly used for groups such as Administrators, Remote Desktop Users, and Backup Operators.

Note: Restricted Groups is a computer configuration setting. The GPO must be linked to the OU containing the target computer accounts.

Prerequisites

Before configuring Restricted Groups, ensure the following:

System requirements

• A Windows domain environment with Group Policy available
• Access to the Group Policy Management Console (GPMC) on an administrative machine

User permissions

• Permission to create, edit, and link GPOs
• Local administrative rights on the test machine if you plan to run policy update commands manually

Dependencies

• The GPO must be linked to the OU that contains the target computer objects, not user accounts.
• You should document the current membership of the local group before applying the policy to avoid unintended removals.

To view the current members of a local group, run the following command on a representative machine:

Steps to configure Restricted Groups using GPO

Follow the steps below using the Group Policy Management Console.

Step 1: Open the GPMC and create or edit a GPO

1. Press Win + R, type gpmc.msc, and click Enter to open the Group Policy Management Console.
2. In the console, navigate to the Organizational Unit (OU) that contains the target computer accounts.
3. Right click the OU and select Create a GPO in this domain, and Link it here to create a new Group Policy Object.
4. If you already have an existing GPO, right click and select Edit.
5. Assign a descriptive name to the GPO so it can be easily identified later.

Step 2: Navigate to Restricted Groups and add the group

1. In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
2. Right-click Restricted Groups and select Add Group.
3. Enter the name of the local group you want to manage, such as Administrators, and click OK.

Note: This configuration applies to the local group on each target computer, not to a domain group.

Step 3: Configure group membership

1. In the properties dialog box, define the required membership for the group.
2. Under Members of this group, add all users or domain groups that should be members of the local group (for example, Domain Admins).
3. Leave the This group is a member of field blank unless you specifically need to add this group to another group.
4. Click OK to save the configuration.

Step 4: Verify the GPO link

Return to the Group Policy Management Console and confirm that the GPO is correctly linked to the target OU. Ensure that the link is enabled so the policy can be applied to the computers in that OU.

Step 5: Apply and test the policy

1. On a test machine, open Command Prompt with administrative privileges and run:
Click to copy script
gpupdate /force
2. After the policy is applied, verify the group membership by running:
Click to copy script
net localgroup Administrators
3. Confirm that the GPO has been applied by running:
Click to copy script
gpresult /r /scope computer

Verifying the Restricted Groups policy

To confirm that the policy is applied correctly, use one of the following methods.

1. Using Resultant Set of Policy (RSOP)

Run rsop.msc on the target machine and navigate to Computer Configuration > Windows Settings > Security Settings > Restricted Groups.

This displays the effective Restricted Groups configuration applied to the system.

2. Using Group Policy Results Wizard

In the GPMC, right-click a computer object and select Group Policy Results Wizard. This tool retrieves policy data from the target system and displays all applied settings, including Restricted Groups.

Common errors and troubleshooting

Group members were removed unexpectedly

If users or groups are removed from a local group after applying the policy, it typically means the Restricted Groups configuration is working as designed. This policy enforces the configured membership list, so accounts not defined under Members of this group can be removed during policy refresh.

This can occur if existing members were not documented before applying the policy. For example, locally added administrator or service accounts will be removed if they are not included in the configuration.

To resolve this, update the GPO and ensure all required users and groups are listed under Members of this group, then run gpupdate /force or wait for the next refresh cycle.

The GPO is applied, but group membership has not changed

If the GPO appears to be applied but group membership remains unchanged, the issue is usually related to GPO scope or linkage.

Since Restricted Groups is a computer configuration setting, the GPO must be linked to the OU containing the computer account. If it is linked elsewhere, the policy will not take effect.

To verify applied policies, run:

If the expected GPO is not listed, check the OU structure in the GPMC and confirm that the GPO is correctly linked and enabled.

Access denied when running gpupdate /force

An "Access denied" error when running gpupdate /force usually indicates insufficient privileges.

Applying Group Policy updates manually requires local administrative rights. Run Command Prompt as an administrator or wait for the automatic refresh cycle, which occurs every 90 minutes by default.

Domain Admins removed from the local Administrators group

If the Domain Admins group is removed from the local Administrators group, it means it was not included in the Restricted Groups configuration.

Since the policy replaces the entire membership list, only defined members are retained.

To fix this, add Domain Admins under Members of this group in the GPO and reapply the policy.

How ADManager Plus helps

Managing Restricted Groups across multiple OUs and domains using the native Group Policy Management Console (GPMC) can become time-consuming and difficult to scale, especially in large environments.

ADManager Plus simplifies this process by providing a centralized, web-based interface for GPO and Active Directory management. Instead of manually working through the GPMC on individual systems, administrators can perform key tasks from a single console.

With ADManager Plus, you can:

• Create, edit, and manage GPOs from a centralized web console.
• Force GPO updates on remote computers without manual intervention.
• Perform GPO migration across domains and environments.
• Manage domain group membership in bulk using templates or CSV imports.
• Generate detailed reports on GPOs and group memberships for auditing and compliance.

By combining GPO management with advanced group management and reporting capabilities, ADManager Plus helps ensure that the domain groups used within Restricted Groups policies remain accurate, consistent, and up to date across your environment.

FAQ

1. Does Restricted Groups affect domain groups?

Restricted Groups does not modify the membership of domain groups in Active Directory. Instead, it controls the membership of local groups on individual machines. For example, it can enforce who belongs to the local Administrators group on each computer, but it does not change who belongs to a domain group such as Domain Admins.

2. Will Restricted Groups remove the built-in Administrator account?

Yes, the built-in Administrator account will be removed from the local group if it is not explicitly included in the policy configuration. Since the policy enforces an exact membership list, only the defined accounts are retained after the policy is applied.

3. How often is the Restricted Groups policy applied?

Group Policy refreshes automatically every 90 minutes by default, with a random offset to reduce load on domain controllers. In addition, security settings such as Restricted Groups are periodically re-applied to ensure that the defined configuration remains enforced.

4. Can Restricted Groups be configured without using GPMC?

Although it is technically possible to modify GPO content directly, this approach is not recommended. Using the Group Policy Management Console or tools like ADManager Plus ensures proper validation and prevents inconsistencies in policy configuration.