machines.

Using Restricted Groups

Sometimes it’s difficult to keep up with who belongs to a specific group. In Windows
XP/Server 2003, you can use restricted groups to gain better control over membership of
groups. To do so, you create a restricted groups policy. The policy specifies which users
are members of the group. When you apply the policy, only those users allowed in the
policy will be members of the restricted group. This prevents addition of members who
should not be allowed. Only members added in the policy can belong to the group.

Restricted groups are used for local groups on XP workstations and Server 2003 member
servers. The policy is defined and applied via a security template. Here’s how to create a
restricted groups policy:

1. Log on as an administrator.
2. Click Start | Run and enter mmc to open an empty management console.
3. Click File | Add/Remove Snap-ins.
4. In the dialog box, click the Add button.
5. Under Available Standalone Snap-ins, scroll down and select Security
Templates, then click the Add button and then the Close button. Click OK.
6. In the left pane of the MMC, expand the Security Templates node, then expand
the template path folder (for example, c:\WINDOWS\security\tempates), then the
template you want to use (for example, securews for a secure workstation).
7. Right click Restricted Groups and select Add Group.
8. In the dialog box, type the name of the group for which you want to create a
restricted groups policy. Click OK.
9. In the Configure Membership for <group> dialog box, click the Add button to
add members to the group or add groups of which you want this group to be a
member.