2

I'm looking for current best practices and I can't seem to find a definitive answer. I'm looking to manage the membership of the local administrator group on Windows (Client) machines. In the past, we've used Restricted Groups but I see that Local Users and Groups give more flexibility and can also clear out existing users and groups to mimic what restricted groups is doing.

Any recommendations on why I would choose one over the other. Is it just preference? What do most admins use? Does anyone have a link to a microsoft doc that explains which should be used?

Thanks!

Paul G
  • 158
  • 1
  • 6

1 Answers1

2

I'd say it's a preference. Let's do a little bit of history to explain why we can manage group membership in two different ways:

"Restricted Groups" (in the "Policies" node of the GP management console) came first, and allows you to restrict the members of a group (nobody can add/remove something in the group after you restricted it).

Then, another company (called "DesktopStandard") created their own GP extensions (PolicyMaker) to allow administrators to perform other tasks with group policies, like creating and deleting files, folders, registry keys, shortcuts etc... AND they provided another way to manage users and groups membership with "Local Users and Groups". Eventually, Microsoft bought this company and integrated their tools into the "Preference" node of the GP management console (and that's why the look and feel is different when you browse the "Preferences" node in your GPO).

And that's it, now we have two ways to manage groups membership: "Restricted Groups" is the original one, and "Local Users and Groups" is the "bolted on" tool.

If you just want to restrict the group membership, personally I would use "Restricted Group", but if you want to add some members without wiping the old members, and if you want to allow users to add members afterward, you should use the "Local Users and Groups" in "Preferences"

Swisstone
  • 6,357
  • 7
  • 21
  • 32