Restricted Groups Policy Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Restricted Groups

This security setting allows an administrator to define two properties for security-sensitive groups (or restricted groups). The two properties are Members and Member Of.

The Members list defines exactly who belongs and who does not belong to the restricted group. Both inclusion on the list and exclusion from the list, are enforced.

The Member Of list specifies groups in which the restricted group is included. Only inclusion in the Member Of list is enforced, not exclusion: If you remove a group from the Member Of list, the restricted group is allowed to remain a member of the removed group.

Note

  • Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
Location

GPO_name\Computer Configuration\Windows Settings\Security Settings\Restricted Groups\

Default Values
Server Type or GPO Default Value

Default Domain Policy

Not defined

Default Domain Controller Policy

Not defined

Stand-Alone Server Default Settings

Not defined

DC Effective Default Settings

Not defined

Member Server Effective Default Settings

Not defined

Discussion

The Restricted Groups folder is available only in Group Policy objects associated with domains, organizational units, and sites. The Restricted Groups folder does not appear in the local Group Policy object.

If a restricted group is defined so that it has no members (that is, the Members list is empty), all members of the group are removed when the policy is enforced on the computer. If the Member Of list is empty, no changes are made to any groups to which the restricted group belongs.