| A new Group Policy feature introduced in Windows Server 2003 is Restricted Groups. The Restricted Groups feature allows an administrator to control the membership of the local groups on workstations and member servers. Domain Controllers are not included because they don't have local groups. The administrator is able to control the membership in the group by specifying the members of the group in the GPO. Any additional members that may have been added to the group are removed during the Group Policy refresh. The administrator is also able to specify what groups the restricted group is a member of. There are two ways to apply a Restricted Groups Policy: In Step by Step 10.3, we're going to create a new GPO and use it to assign a Restricted Groups GPO to the Workstations OU that contains our test server. To perform this exercise, you will need to create a share on your server and name it Users. Configure the permissions on the share Authenticated UsersFull Control. Step by Step 10.3 Configuring a Restricted Groups GPO 1. | Open the Group Policy Management Console. Right-click the Kansas City\Workstations OU and select Create and Link a GPO Here from the pop-up menu.
| 2. | When the New GPO prompt appears, enter the name Restricted Groups, and click OK.
| 3. | The new GPO will appear in the Group Policy Objects container, and as a linked object under the OU folder.
| 4. | Right-click the new GPO and select Edit from the pop-up menu. The Group Policy Editor MMC appears.
| 5. | Click the Computer Configuration icon; then click the Windows settings folder.
| 6. | Right-click the Restricted Groups icon and select Add Group.
| 7. | In the Add Group dialog box, enter Administrators, and then click OK.
| | | 8. | The Administrators Properties window opens, as shown in Figure 10.8. Click the Add button, and add a user to the group. Click OK to save.
Figure 10.8. The Administrators Properties dialog box. Add members to the group, or make the group a member of other groups. 
| 9. | On your test server or workstation, log on using the administrator account.
| 10. | Open the Computer Management MMC, and select Local Users and Groups. Open the Groups folder, and then double-click the Administrators entry. The Administrator should be the only account listed. Close the Properties window.
| 11. | Open a command window and run the gpupdate command. Close the command window.
| 12. | Double-click the Administrators entry. The account you just added to the GPO should be listed.
|
|
By limiting membership to important local groups on your server, such as the Administrators and Power Users groups, you can reduce your security exposure by making sure that unauthorized users accounts aren't present in these groups, either accidentally or intentionally. |
