HOW TO: Restrict Group Membership By Using Group Policy in Windows 2000

This step-by-step article describes how to restrict group membership by using group policy.

In some cases, you may want to restrict the membership of certain groups in a Windows 2000 domain to prevent the addition of other user accounts to those groups.

Create a Group Policy Object

To create a Group Policy Object (GPO) with which to restrict group membership:

1. Start the Active Directory Users and Computers snap-in. To do so, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain or the organizational unit in which you want to create the group policy, and then click Properties.
3. Click the Group Policy tab, and then click New.
4. Type the name that you want to call this policy (for example, Account restriction policy), and then press ENTER.
5. Click Close.

Configure Group Membership

1. Start the Active Directory Users and Computers snap-in.
2. In the console tree, right-click your domain or the organizational unit that contains the group policy that you want, and then click Properties.
3. Click the Group Policy tab, select the group policy object that you want, and then click Edit.
4. Expand Computer Configuration, expand Windows Settings, and then expand Security Settings.
5. Right-click Restricted Groups, and then click Add Group.
6. Click Browse, click the group that you want to add, (for example, click Backup Operators), and then click Add.
7. When you are finished adding groups, click OK.
8. In the Add Group dialog box, click OK.
   
   The groups to which you want to restrict access are displayed in the right pane of the Group Policy snap-in.
9. Double-click a group in the right pane of the Group Policy snap-in. For example, double-click Backup Operators.
   • To restrict the membership of this group:
     1. Click the Add button that corresponds to the Members of this group box.
     2. Click Browse, click the user or group account that you want to add to the group, and then click Add.
     3. When you are finished adding users or groups, click OK.
     4. In the Add Member dialog box, click OK.
   • To restrict the groups to which this group can be a member:
     1. Click the Add button that corresponds to the This group is a member of box.
     2. Click Browse, click the group account to which you want to add this group, and then click Add.
     3. When you are finished adding groups, click OK.
     4. In the Group Membership dialog box, click OK.
10. In the Configure Membership for Group_name dialog box, click OK.
11. Quit the Group Policy snap-in, and then click OK.

Troubleshooting

• When you restrict group membership by using group policy, you may notice that you can still add users to a group to which they have been denied access. Changes to restricted groups remain in effect until group policy is refreshed. When group policy is refreshed, restricted group memberships are reapplied, removing any changes that are made to the membership of the restricted group. For additional information about how to refresh group policy, click the article number below to view the article in the Microsoft Knowledge Base:
  227302  (http://support.microsoft.com/kb/227302/EN-US/ ) Using SECEDIT to Force a Group Policy Refresh Immediately
• The default membership of a restricted group is no members. By leaving the group with the default membership of no members, you can provide additional security to groups to which you want to prevent membership. For example, you can use this method to ensure that no user accounts are members of the Guests group.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: For more information about Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper at the following Microsoft Web site: