1 00:00:03,060 --> 00:00:03,520 Okay. 2 00:00:03,540 --> 00:00:09,150 Now I want a demo of this restricted groups or group membership control scenario using restricted groups 3 00:00:09,150 --> 00:00:09,720 policy. 4 00:00:10,620 --> 00:00:14,160 So I'm on my Windows seven desktop machine that's a member of the marketing. 5 00:00:14,160 --> 00:00:14,670 Oh, you. 6 00:00:15,480 --> 00:00:21,270 And I'm looking at the local groups on this Windows seven machine, and I've got this remote desktop 7 00:00:21,270 --> 00:00:21,950 users group. 8 00:00:21,960 --> 00:00:27,360 And I mentioned it earlier as the group that grants remote desktop access to the system, and you'll 9 00:00:27,360 --> 00:00:29,070 see that it has no members in it. 10 00:00:29,970 --> 00:00:35,700 So then what I'm going to do is come over to my domain and I'm going to go ahead and create and link 11 00:00:35,700 --> 00:00:37,320 a new GPO in the domain. 12 00:00:38,170 --> 00:00:40,840 I'm going to call it the restricted group's policy. 13 00:00:41,680 --> 00:00:47,290 And now that I have this linked and defined on the domain, I'm going to go ahead and edit it and I'm 14 00:00:47,290 --> 00:00:49,630 going to drill in under computer configuration. 15 00:00:49,630 --> 00:00:50,440 Windows settings. 16 00:00:50,440 --> 00:00:51,550 Security settings. 17 00:00:52,460 --> 00:00:55,760 And you'll see here I've got restricted groups as a policy area. 18 00:00:56,630 --> 00:00:57,890 I'm going to add a group. 19 00:00:58,770 --> 00:01:03,270 Now I've got a group called Help Desk Admins that I'm going to use as my policy target. 20 00:01:04,170 --> 00:01:07,590 So if I click on check names, it'll return helpdesk admins. 21 00:01:07,590 --> 00:01:08,490 That's a global group. 22 00:01:08,490 --> 00:01:10,140 I created an Active Directory. 23 00:01:10,980 --> 00:01:14,730 And then what you'll see here is that when it comes up, I've got two options. 24 00:01:15,630 --> 00:01:20,490 I can either use members of this group, which is the absolute control portion of restricted groups 25 00:01:20,490 --> 00:01:26,940 policy or I can use this group is a member of which lets me add the target group in this case helpdesk 26 00:01:26,940 --> 00:01:28,430 admins to other groups. 27 00:01:28,440 --> 00:01:29,670 And that's what I want to use. 28 00:01:30,590 --> 00:01:32,630 I don't want the absolute control part. 29 00:01:32,750 --> 00:01:35,360 I want the discretionary edition of groups part. 30 00:01:36,200 --> 00:01:37,850 And what I'm going to do here is. 31 00:01:37,850 --> 00:01:38,870 I'm going to say. 32 00:01:39,680 --> 00:01:41,210 Add it to remote desktop. 33 00:01:42,070 --> 00:01:43,390 I'll search on that name. 34 00:01:44,220 --> 00:01:46,170 Add it to remote desktop users. 35 00:01:47,040 --> 00:01:52,050 Now this group, meaning helpdesk admins, will be made a member of remote desktop users on all the 36 00:01:52,050 --> 00:01:54,060 computers that process this policy. 37 00:01:54,930 --> 00:01:58,470 All right, so now I've got my member of four restricted group set. 38 00:01:59,340 --> 00:02:00,870 Let's come back to my client. 39 00:02:01,770 --> 00:02:03,390 We'll go ahead and fire up. 40 00:02:03,390 --> 00:02:03,840 Update. 41 00:02:04,710 --> 00:02:05,760 Let's open a command. 42 00:02:05,760 --> 00:02:10,350 Prompt update slash targeted computer because I'm interested in computer policy. 43 00:02:11,200 --> 00:02:13,750 And policy getting applied to this workstation. 44 00:02:14,590 --> 00:02:18,130 Now let's go in under remote desktop users and see what happens. 45 00:02:19,060 --> 00:02:19,870 There we go. 46 00:02:20,740 --> 00:02:25,000 There's my helpdesk admins group that's now been added to this remote desktop users group. 47 00:02:25,870 --> 00:02:30,390 So a quick and easy way to use restricted groups policy to control local group membership. 48 00:02:30,400 --> 00:02:35,590 And again, if I were not an admin on this workstation, I couldn't go in and change this group membership 49 00:02:35,590 --> 00:02:36,010 at all. 50 00:02:36,880 --> 00:02:41,350 So essentially I'm enforcing this policy over my machines configuration.