DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 279301 - Last Review: May 15, 2009 - Revision: 7.2

This article was previously published under Q279301
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .

On This Page

SUMMARY

This article provides a description of Group Policy Restricted groups.

MORE INFORMATION

Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups:
  • Members
  • Member Of
The "Members" list defines who should and should not belong to the restricted group. The "Member Of" list specifies which other groups the restricted group should belong to.

Using the "Members" Restricted Group Portion of Policy

When a Restricted Group policy is enforced, any current member of a restricted group that is not on the "Members" list is removed with the exception of administrator in the Administrators group. Any user on the "Members" list which is not currently a member of the restricted group is added.

Using the "Member Of" Restricted Group Portion of Policy

Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted Group is not removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.

Managing membership of Domain Groups by using Restricted Groups

Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.

APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Standard without Hyper-V
Keywords: 
kbinfo kbnetwork KB279301
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support