Today, I will introduce you a tool that can help you manage groups across your domain.
Actually, this tool isn't all-in-one for group managing.
By backing by GPO, RS can be deployed flexibly.
However, it can help you in membership control, the most important role of the group.
[00:10] [WHY RESTRICTED GROUPS?]
[00:13] Delegating the Support of Computers means that we are using Group Policy Objects about Restricted Groups to manage groups' membership across the corporate network.
In the real scenario, administrators face a huge problem is that it's hard to control the membership of local groups on client/server machines throughout the enterprise which can have thousands of clients and hundreds of servers that you need to take care on.
This feature of Group Policy can bring to you huge benefits in security as well as facilities in Active Directory management.
So you should invest my notes, links carefully to save your efforts later.
[00:31] You cannot ensure that every machine whose local the Administrators group doesn't include local user accounts that have been created by the user of the computer, to bypass domain security.
You can manage and control the membership of the Enterprise Admins and Schema Admins groups (the most important groups in the Active Directory environment) better and ensure that a wrong account is not added to these groups incorrectly.
In this demo, I will use RG to control groups' relationships forcefully; in this case, I don't any else entities like users, computers, OUs, etc.
[00:44] Now we create 3 groups in the IT OU: IT Managers, Software Managers, Hardware Managers to demonstrate the group management ability of the "Restricted Groups" in Group Policy.
[1:19] "One of the greatest advantages of having an Active Directory Domain is the possibility to deploy software packages via GPO (Group Policy Object). Software deployment is crucial in business environments to save time and money.
Microsoft not only gives us a simple way to deploy software, but also provides a quick solution to uninstall it when we don’t need it anymore" – thesolving.com
[1:32] "NOTE: BE VERY CAREFUL IN ADSIEDIT! You can fatally damage your Active Directory if you delete something you should not. Make sure you have a backup of your DC’s, and make sure you can recover it. I also advise that you make a copy of the contents of the gPMachineExtensionNames attribute, just in case you delete the wrong bit!" – specopssoft.com
[1:44] [GPO BUILDING]
[1:49] Let's create a GPO called: Restricted Groups IT then edit it via Group Policy Management tool.
[2:06] "The GPSIViewer utility will automatically try to resolve the AD domain that the workstation running the tool belongs to. If it can not or you wish to connect to a different domain, then you will be able to enter the domain name manually, using either the LDAP distinguished name, as shown above, or the DNS name" – sdmsoftware.com
[2:15] The Restricted Groups node exists under the Computer Configuration|Windows Settings|Security Settings node for any GPO in Active Directory.
[2:34] Before we add a group to control its membership, I want to remark that it is easy to manage some groups, but a bunch of them is a nightmare.
[2:45] "When you deploy an application through Group Policy, the local machine stores the GPSI information within HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt . Each installed application has a unique ID assigned to it." – deployhappiness.com
[2:55] [DRAW GROUP RELATIONSHIPS MANUALLY]
Let assume that we need to add the Software Managers and Hardware Managers group as members of IT Managers, then IT Managers is a member of Administrators group.
This task is simple because there are only 3 or 4 groups to do.
Software Managers as a member of IT Managers.
[3:17] Hardware Managers as a member of IT Managers.
And IT Managers as a member of the Administrators domain group.
You can see that this group contains 2 members.
[3:23] [GROUP RELATIONSHIP ENFORCEMENT WITH RS]
You may wondering that you early had Active Directory Users and Computers to control your domain groups, why you need this tool?
Because RS not only can manage each local client group but also can eliminate 'members', which didn't be defined.
So from a centralized point, with supervisor permissions, you can ensure above things can't be modified implicitly or explicitly.
Let's remove previous relationships firstly!
[4:42] "Group Policy? It is a feature of Windows Server using which admins can install software on all user computers. It can be done remotely without manual intervention. GPO is short for Group Policy" – wondershare.com
Now add a group that you want to control, you can prefix it to indicate this is a domain group.
Leave it alone to target the local group (on each computer, include this server if this GPO is a global one).
[5:19] Now let's build relationships like the previous demo.
The different point is these relationships cannot be modified elsewhere, without permissions.
[5:52] Now, refresh GP engine in both server and client to take effect immediately.
[5:58] Well done, 'Members' and 'Member Of' now being enforced to match with the definition in our RS policy.
[6:15] Keep track on my channel to discover other awesome kinds of stuff of Group Policy as well as Windows Server!
The next part is about automatic software deployment with GP!