Restricted Groups

In Windows 2000 and Windows 2003, you can use Restricted Groups to strictly control the following tasks :

  • The membership of security groups that you create in Active Directory

  • The security group membership on groups created on member machines (workstations or servers)

  • The security groups that are nested within each other

You might want to strictly control these security groups or nestings to make sure that users in other areas of Active Directory, say, other domain administrators, don't inadvertently add someone to a group that shouldn't be there. Here are some practical uses of this technology:

  • Ensure that the domain's Backup Operators group contains only Sally and Joe.

  • Ensure that the local Administrators group on all desktops contains the user accounts of the help desk and support personnel.

  • Ensure that the domain's Sales global group contain the domain's East Sales, West Sales, North Sales, and South Sales local groups.

You set up these Restricted Groups' wishes via a GPO. You might be thinking to yourself that if the domain administrator creates the GPO, can't any domain administrator just delete the GPO and work around the point of the Restricted Groups settings? Yes, but the point of Restricted Groups is additional protection, not ultimate protection.

Strictly Controlling Active Directory Groups

The ideal way to strictly control Active Directory groups with specific Active Directory users is to create a new GPO and link it to the Domain Controllers OU.

You could modify the "Default Domain Controllers Policy" GPO directly, but, as stated earlier, it's better to create a new GPO when dealing with "normal" settings such as this one. This keeps the "Default Domain Controllers Policy" GPO as clean as possible. Likewise, you could modify the "Default Domain Policy" GPO. But, again, keeping away from the defaults for other than their special uses (as previously discussed) is preferred.

Warning 

If you set up Restricted Groups policies at multiple levels in Active Directory, there is no "merging" between Restricted Groups policy settings. The "last applied" policy wins. For example, if you set up a Restricted Groups policy, link it to the domain, create another Restricted Groups policy, and link it to the Domain Controllers OU, the one linked to the Domain Controllers OU "wins."

  1. Open the GPO and traverse to Computer Configuration ˜ Windows Settings ˜ Security Settings ˜ Restricted Groups .

  2. Right-click Restricted Groups, and choose Add Group from the shortcut menu, which opens the "Add Group" dialog box.

  3. Click Browse to open the Browse dialog box, and browse for a group, say, the domain's Backup Operators, then press OK.

  4. When you do, the Backup Operator Properties dialog box, as shown in Figure 6.13, appears.

image from book
Figure 6.13: You can specify which users you want to ensure are in specific groups.

You can now choose domain members to place in the " Members of this group" list. In Figure 6.13, I have already added Sally User's account, which is in the domain, and I'm about to add Joe User's domain account.

Warning 

Be careful about just typing in the user account names without either browsing the domain or manually entering the domain with the DOMAIN\user syntax. Restricted Groups in Active Directory will not apply correctly unless you do this.

When Restricted Groups Settings Take Effect

After you enter the users in the "Members of this group" and click OK, you can sit back and wait for all Domain Controllers to get the change and process Group Policy. However, if you have only one Domain Controller in your test lab, this change should occur quickly. You can run GPUpdate to make it occur even faster in this case. This happens because any new GPO you create and link to the Domain Controllers OU should get picked up and applied right awayabout 5 minutes after replication occurs.

Now, take a look inside the Backup Operators group using Active Directory Users And Computers. Sally and Joe's accounts should be forced inside Backup Operators.

When Restricted Groups Settings Get Refreshed

If someone were to remove Sally and Joe from Backup Operators in Active Directory Users And Computers, their accounts would be repopulated during the Background Security Refresh, which is every 16 hours.

As described in Chapter 3, you have two choices if you don't want to wait 16 hours for the Background Security Refresh:

  • Link a GPO to the Domain Controllers OU level, with the Security policy processing policy setting with the "Process even if the Group Policy objects have not changed" flag set. Then, the Background Security Refresh will process with the normal background refresh (every 5 minutes).

  • Force a manual refresh with by running GPUpdate /FORCE on your Domain Controller. Recall that GPUpdate /FORCE may be used when the underlying GPO hasn't changed and you want your changes reflected immediately.

The users removed from Backup Operators will pop right back in!

There is one caveat with the "Members of this group" section of Restricted Groups. That is, this is an explicit list. If you then add more users using Active Directory Users And Computers, they will also be removed when the Restricted Groups policy is refreshed! Only the users listed in the "Members of this group" section will return.

Strictly Controlling Local Group Membership

You can ensure that specific users are members of specific groups on local machinesworkstations or servers. For instance, you can guarantee that Joe and Sally are members of the local Administrators group on all the machines in the Nurses OU.

To do this, follow these steps:

  1. Create a new GPO, and link it to the Nurses OU. Make sure the Nurses computer accounts are in the Nurses OU.

  2. Dive in to Computer Configuration ˜ Windows Settings ˜ Security Settings ˜ Restricted Groups .

  3. Right-click Restricted Groups , and select the "Add Group" option from the shortcut menu to open the "Add Group" dialog.

  4. These initial steps are nearly identical to the previous exercise where we wanted to restrict an Active Directory group. In the last exercise, we clicked the "Browse" button to locate a security group in Active Directory. However, to signify a local group, we'll just type in the word Administrators ; don't click Browse.

  5. You'll then see a similar Properties dialog box as seen in Figure 6.13.

  6. At this point, you can populate the "Members of this group" in the same way you did before. Simply click "Add," and choose the domain members of Sally and Joe, similar to what is seen in Figure 6.13.

When the machine is rebooted or the background policy is refreshed, the local Administrators group is populated with Sally and Joe.

The caveat of the "Members of this group" still applies. That is, this is an explicit list. By default, all workstations have the "DOMAIN\Domain Admins" listed as members within their local Administrators group. If you don't add "DOMAIN\ Domain Admins" while creating a Restricted Group, they won't be there on the next background refresh.

Strictly Applying Group Nesting

The last trick Restricted Groups can perform is that it can ensure that one domain group is nested inside another. Like the "Strictly Controlling Active Directory Groups" trick, you need a GPO linked to the Domain Controllers OU.

The interface is a bit counterintuitive; the idea is that you name a group (say, HR-OU-Admins) and then specify the group of which it will be a member.

To nest one group within another:

  1. Open the GPO and traverse to Computer Configuration ˜ Windows Settings ˜ Security Settings ˜ Restricted Groups .

  2. Right-click Restricted Groups, and choose "Add Group" from the shortcut menu, which opens the "Add Group" dialog box.

  3. Click Browse to open the Browse dialog box, and locate the first group.

  4. When you do, the Properties dialog box appears, as shown earlier in Figure 6.13.

  5. Then, you'll click the "Add" button in the "This group is a member of" section of the Properties dialog box. You'll then be able to specify the second group name.

When you're finished, and the Group Policy applies, the result will be that the first group will be forcefully nested within the second group. In order for this to really work well, it helps to remember that different domain modes allow for different levels of group nesting. Here's the Cliffs Notes version:

  • Windows 2000 mixed mode domains and Windows 2003 interim mode domains can nest global groups only into domain local groups.

  • Windows 2000 and Windows 2003 native mode domains can nest global groups into domain local groups. Additionally, global groups can be nested into global groups.

Warning 

While you are creating a Restricted Groups policy, take care. Results can be unpredictable when you mix the "This group is a member of " and "Members of this group " sections. If you have ensured a group's membership using the "Members of this group " setting, don't attempt to further modify that group's membership by feeding the "This group is a member of " users (by lying to it) to extend the original group's membership! On occasion, the "This group is a member of " and "Members of this group " will conflict if you try to add users to both headings.

Which Groups Can Go into Which Other Groups via Restricted Groups?

The processing of Restricted Groups can sometimes be picky depending on the scenario. (This is officially documented in the Knowledge Base article KB 810076.) And the "out of the box" processing changes a little bit and becomes more standardized for the most up-to-date clients : Windows 2003, Windows 2000 with SP4, and Windows XP with SP2.

MSKB 810076 now has several tables to help you out during your testing of this feature. Again, to ensure that the tables work for you, you need Windows 2003, Windows 2000 with SP4, or Windows XP with SP2, or you need the hotfix in the Knowledge Base article KB 810076 applied to machines that will receive the forced users or groups.



Group Policy, Profiles, and IntelliMirror for Windows 2003, Windows XP, and Windows 2000
Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)
ISBN: 0782144470
EAN: 2147483647
Year: 2005
Pages: 110

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net