1
00:00:06,430 --> 00:00:13,450
Management group membership can be a time consuming task especially if you must modify the membership

2
00:00:13,450 --> 00:00:19,960
of groups on workstations or servers distributed throughout the enterprise.

3
00:00:19,960 --> 00:00:27,760
For example you might need to add a user or global group to the local administrators group on client

4
00:00:27,760 --> 00:00:32,900
computers or add a global group to the backup operation.

5
00:00:32,920 --> 00:00:34,990
Groups on servers.

6
00:00:34,990 --> 00:00:43,660
Group policy provides a Saddam called restricted groups that enables you to control the membership of

7
00:00:43,660 --> 00:00:46,870
local groups on domain and computers.

8
00:00:46,870 --> 00:00:55,950
This system also enables you to control the membership of ADT as groups by configuring a GPO and to

9
00:00:55,950 --> 00:01:02,020
sign in the GPO to the O you hold in those computer accounts.

10
00:01:02,050 --> 00:01:09,790
You can find the restricted group set in their computer configuration policy under Windows sentence

11
00:01:10,120 --> 00:01:15,110
and then under security settings it contains no groups by default.

12
00:01:15,430 --> 00:01:22,720
Please know that to configure membership in ADT as groups you must decide the GPO to the O you that

13
00:01:22,720 --> 00:01:26,400
holds the domain controllers computer accounts.

14
00:01:26,410 --> 00:01:32,280
You can also configure group nest and by using their restricted group setting.

15
00:01:32,320 --> 00:01:39,310
For example you could use restricted groups to nest global groups sent to universal groups.

16
00:01:39,310 --> 00:01:45,910
All the rules governing group nest and still apply when using restricted groups.

17
00:01:45,910 --> 00:01:53,170
Please know that the restricted group setting is only available in domain level group policies.

18
00:01:53,170 --> 00:02:00,380
It does not exist in local group policies on Windows client and so or operating systems.

19
00:02:00,400 --> 00:02:08,800
Now some words about removal of non designated members one of the benefits of restricted groups is that

20
00:02:08,800 --> 00:02:14,220
it will also remove any user or group from the targeted group.

21
00:02:14,530 --> 00:02:20,490
If they are not on the list of users or groups there is a set and a.

22
00:02:20,500 --> 00:02:28,340
This is useful if control and the membership of high level administrative groups such as enterprise

23
00:02:28,340 --> 00:02:35,360
segments domain admin sound local administrators group on Soros and clan computers.

24
00:02:35,380 --> 00:02:42,910
If you manually add users to a control group the restricted group certain will remove them the next

25
00:02:42,910 --> 00:02:45,180
time group policy refreshes.

26
00:02:45,190 --> 00:02:53,290
The only exception to this rule is the local default administrator account can never be removed from

27
00:02:53,290 --> 00:02:55,700
their local administrators group.

28
00:02:55,840 --> 00:03:03,460
If the policy object that you use to configure the restricted group membership is unlinked from the

29
00:03:03,460 --> 00:03:12,610
container holding the computer accounts or if you delete the restricted group entry from the GPO then

30
00:03:12,610 --> 00:03:18,160
the group memberships that it is signed are not removed.

31
00:03:18,220 --> 00:03:21,550
You must modify those group memberships manually.