This article provides a description of Group Policy
Restricted groups allow an administrator to define the
following two properties for security-sensitive (restricted) groups:
The "Members" list defines who should and should not belong to
the restricted group. The "Member Of" list specifies which other groups the
restricted group should belong to.
Using the "Members" Restricted Group Portion of Policy
When a Restricted Group policy is enforced, any current member of
a restricted group that is not on the "Members" list is removed with the
exception of administrator in the Administrators group. Any user on the
"Members" list which is not currently a member of the restricted group is
Using the "Member Of" Restricted Group Portion of Policy
Only inclusion is enforced in this portion of a Restricted Group
policy. The Restricted Group is not removed from other groups. It makes sure
that the restricted group is a member of groups that are listed in the Member Of
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this
scenario. Restricted Groups is a client configuration means and cannot be used
with Domain Groups. Restricted Groups is designed specifically to work with
Local Groups. Domain objects have to be managed within traditional AD tools.
Therefore, we do not plan currently to add or support using Restricted Groups
as a way to manage Domain Groups.