In any active directory domain-based architecture there are several groups which are created by the administrators and there are many of them which are created by default as soon as active directory services are installed on Windows server 2008. In either case adding users to any group is a simple task and any person with administrative privileges can do it within no time. In small industries this configuration is fine and requires no additional manipulations however in medium to large scale industries administrators may want to add an extra layer of security by restricting the members to the groups. With the help of Restricted Groups group policy settings administrators can specify which group may contain which members and to which group the selected group can be member of. As an administrator you can do the above configurations by following the steps given below:
1. Ensure that you are logged on to the domain controller with domain admin privileges.
2. Open Group Policy Management Console from Administrative Tools on start menu.
3. Right click on the name of the domain for which you want to configure a new group policy as mentioned above.
4. From the appeared menu click on Create a GPO in this domain and Link it here option.
5. On the opened box specify the name of the new GPO and click on Ok button to create it.
6. Right click on the newly created GPO and from the appeared menu click on Edit.
7. From the opened snap-in under Computer Configuration expand Policies > Windows Settings > Security Settings and right click on Restricted Groups.
8. On the appeared menu click on Add Group and on the appeared box browse for and add the group.
9. Once done you will be displayed with the properties box of the selected group and you need to click on Add button under Members of this group section to select the users and/or groups that you want to make the members of the selected group.
10. Click on Ok button to save the changes and in command prompt type gpupdate /force to update the settings.