Restricted groups policies allow you to control the membership of sensitive groups through Active Directory rather than through traditional group membership editing tools such as Active Directory Users and Computers or PowerShell.

The benefit of using restricted groups policies is that group membership is reset each time group policy refreshes. Thus the next group policy refresh will reset a group’s membership to an approved list if, for some reason, a user is added to a sensitive group where they should not have been.

Restricted Groups are configured through the Restricted Groups node of a Windows Server 2003 and Windows Server 2008 group policy object. These policies are primarily used at the domain level and you can use Group Policy Preferences to configure them at the local level.

The following screencast demonstrates how to use Restricted Groups policy and also demonstrates what happens when a user account who is not on the list of authorized users for a particular group is added to that group and then a policy refresh occurs.