All members of a group are removed when the group is selected by the Restricted Groups policy settings and then Group Policy is refreshed in the background

Consider the following scenario:

• You open the Domain Security Policy Microsoft Management Console (MMC) or the Domain Controller Security Policy MMC to configure the Restricted Groups policy settings in Windows Server 2003.
• You click Add Group to add a group, such as the Domain Admins group.
  
  Note After the group is added, its Properties dialog box opens. You can define the members of this group or define the groups to which this group belongs.
• Before you change the value of the Members of this group property and then click OK to apply the changes, Group Policy is refreshed in the background.

In this scenario, all members of the group that you added are removed.

If a restricted group is defined, and no members are configured (that is, the Members list is empty), all members of the group are removed when the policy is enforced on the computer.

To work around this behavior, use one of the following methods.

Method 1

Create a Group Policy object. Then, use the Group Policy Management Console (GPMC) to link the Group Policy object to the domain, the domain controller, or the organizational units (OU).

For more information about how to use GPMC to link a Group Policy object, visit the following Microsoft Web site:

Method 2

Modify the default Group Policy refresh interval on the domain controller to set a refresh interval value that is greater than five minutes. For example, set the refresh interval to 15 minutes.

Note This method may affect the performance of the domain controller. For more information about how to modify the default Group Policy refresh interval, click the following article number to view the article in the Microsoft Knowledge Base:

This behavior is by design.

For more information about the Restricted Groups policy settings, visit the following Microsoft Web site: