Local Groups, Active Directory, and Group Policy

I was asked to set up a handful of laptops for a specific one-day event where users would be taking a survey on them and that was pretty much the end of it.

I created a special limited user account for the purpose and removed that user account from the AD group Domain Users so that special account would not be able to login anywhere I did not specify.  Then I created a Group Policy for a security group in which that special user was a member whereby the particular user restrictions were passed to that special user (such as forcing the Home page in IE to the survey users were to take).

Next I created a special bucket in AD to hold the few laptops for this project.  I then was able to create a Group Policy forcing my special domain security group as a member of the local Users group on the laptops in that bucket.

Let’s go over this scenario again in detail.

GroupEventUser contains one user (EventUser).  These are both housed in a bucket in AD (UsersEvent).  The five machines (we’ll call EventMach1EventMach5) are in another bucket (LaptopsEvent).  The bucket LaptopsEvent has a GPO which forces GroupEventUser into the local Users group on each of the five machines there contained.

This Group Policy Object can be created here in the GP Editor:

Computer Configuration —> Windows Settings —> Security Settings —> Restricted Groups

That’s the easy part.  Setting up the actual object is a bit confusing.  You’ll want to, of course, “Add Group…” at Restricted Groups.

Then you will enter the name of the group you are forcing into the Add dialog (in my example I would add GroupEventUser).  With this object now created you will open its Properties dialog (this will open automatically when you create the object) and in the field “This group is a member of:” (by clicking the associated “Add…” button) you will add the name of the local computer group you will force your AD group into (in my case Users which is the local users group thus allowing my domain group GroupEventUser login privileges on those machines in LaptopsEvent).

Once again, you create a policy object named after the domain group you are adding to the local group, and add the local group in that object’s member of section.

Clear as mud?  You can see this somewhat confusing article where I got my information about the GPO for forcing the group membership.  (In part I wrote this article because there was a lot of forum posts telling folks this could not be done.  See this one for instance.  There were many others.  Google is your friend.)

Hope that helps you out.


Leave a Reply

Your email address will not be published. Required fields are marked *