Today we had a very cool problem with a client who was trying to add a service account to a Windows Active Directory Group. the problem was that after the service account was added to the group, it would magically be removed from the group within a few minutes. This magic was driving our client crazy.
What could be removing users from Active Directory groups? …And the answer is Group Policy.
While we have never used Group Policy to set a list of users to be in a group before, we did know that it existed. The question we had was why would anybody want to use Group Policy to add or remove users from groups? And that answer turns out to be security.
If you set group members using Group Policy, instead of the usual Active Directory Users and Computers, you can effectively block low level admins from adding and removing users from high risk security groups like domain admin or enterprise admin.
How To Add / Remove Users From Groups Using Group Policy
CLICK TO EXPAND GRAPHIC
- Launch Group Policy Management Editor
- Right click on the GPO you want to modify, OR create a new GPO from scratch
- Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
- Right click on the white space, in the right pane, and select ADD GROUP
- Click the BROWSE button and find the group you want to modify
- Click the ADD button
- Click the BROWSE button and add the users/groups you want to be part of the group
NOTE 1: This will clobber any existing entries in the Active Directory group and any changes to that group made using ADUC will be quickly overwritten (undone) by the GPO.
NOTE 2: The group will not change until the next time GPO is sync’d so you can either wait or run a simple GPUPDATE /FORCE in an elevated command window
NOTE 3: After the group has been updated in AD, it will not take effect for those users until after they log off / on. Windows only enumerates a users groups at logon.
NOTE 4: If the GPO is removed, the last set of users in the group in question will remain in that group.