none
GPO to validate Group Membership

    Question

  • Dear All,

    sorry for the stupid question, but I wasn't able to find an answer anywhere.

    Is there a GPO that validates the group membership of a Domain Group?

    For example in Domain Admins Group are users A, B, and C

    If somebody adds user D, the gpo should remove him when GP is refreshed.

    Thank You for any advice!

    Thursday, April 9, 2015 7:47 PM

Answers

  • I don't think that there is anything like that out of the box. You have restricted groups policy in GPO, which does what you need, but this policy is designed to handle local group membership and MS does not support use restricted groups policy for managing membership in domain groups (probably because policy for the same group will be processed by multiple clients, resulting in higher load on DC and increase in replication traffic)  . You can try to apply restricted groups policy to one of domain controllers and use it for managing Domain Admins group, might work.

    Gleb.

    • Marked as answer by StefkoDan Friday, April 10, 2015 7:16 AM
    Friday, April 10, 2015 7:12 AM

All replies

  • I don't think that there is anything like that out of the box. You have restricted groups policy in GPO, which does what you need, but this policy is designed to handle local group membership and MS does not support use restricted groups policy for managing membership in domain groups (probably because policy for the same group will be processed by multiple clients, resulting in higher load on DC and increase in replication traffic)  . You can try to apply restricted groups policy to one of domain controllers and use it for managing Domain Admins group, might work.

    Gleb.

    • Marked as answer by StefkoDan Friday, April 10, 2015 7:16 AM
    Friday, April 10, 2015 7:12 AM
  • I don't think that there is anything like that out of the box. You have restricted groups policy in GPO, which does what you need, but this policy is designed to handle local group membership and MS does not support use restricted groups policy for managing membership in domain groups (probably because policy for the same group will be processed by multiple clients, resulting in higher load on DC and increase in replication traffic)  . You can try to apply restricted groups policy to one of domain controllers and use it for managing Domain Admins group, might work.

    Gleb.


    Thank You very much, I will try it and let You know if it worked.
    Friday, April 10, 2015 7:17 AM