Add and remove users to AD groups with Group Policy

Group Policy allows you to add and remove users to an Active Directory (AD) group. Using this feature improves security because you can ensure that high-risk security groups only contain the users that you specify via Group Policy.

To manage the Domain Admins group, you will need Remote Server Administration Tools(RSAT) installed. After installing that, open up the Group Policy Management Console (GPMC) and navigate to the root of your AD forest. Next, right-click and select Create a GPO in this domain, and Link it here… When prompted, assign a descriptive name to this GPO (I’m using Manage Domain Admins, but you can use whatever your standards are in your organization).

Once you have your GPO created and linked to the appropriate location, you will then need to right-click and select Edit to modify your new Group Policy Object. In the new GPO window, we should navigate to the following location:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups

Once in the Restricted Groups section, either right-click in the empty space on the right-hand side or right-click on the Restricted Groups item in the navigation tree. Then select Add Group, and the Add Group dialogue box will display. We select the desired group we want to manage here. In my example, I am using Domain Admins.

We now select OK and then OK again in the Add Group dialogue box. Once you do this, a new dialogue box will open that allows you to add members to this group. There are two options available in this new dialogue box: Members of this group and This group is a member of.

We are going to be using Members of this group. By using this, we are ensuring that specific individuals or accounts are part of the Domain Admins group. This ensures that if someone accidently or maliciously has added an account to the Domain Admins group, the next time Group Policy refreshes (every 90 minutes, with a random offset of 0 to 30 minutes) it will remove those members (unless they have added them via this GPO).

For this example, I have two user accounts I will use. The first is an MSAdministrator and Administrator account I want to be in the Domain Admins group. I will not add the second account named Malicious User here, but I will add it to this group in Active Directory to show the removal process.

For added protection, go to your Manage Domain Admins GPO in the GPMC and navigate to the Delegation tab to restrict who can edit this specific Group Policy Object.

Press OK and close out of all open windows in the Group Policy Management Console. Next, we will add our Malicious User to the Domain Admins group in Active Directory.

Now that we have created our Group Policy in the root of our domain, the next time that Group Policy refreshes, it will remove the Malicious User from the Domain Admins group. This is because we have overwritten or trumped the group membership in Active Directory with our own group members. This ensures that if someone accidently added a user or a malicious actor wanted to gain control of your domain, that user would now need to modify the permissions of our Group Policy Object as well as the group in Active Directory. This adds another layer of protection by making it more difficult for a potential takeover in our environment.

After updating Group Policy (run gpupdate /force if you do not want to wait for the refresh interval), you can view the Domain Admins group in Active Directory. You will see that the system has updated our group members appropriately.

Managing our security and distribution groups via Group Policy adds a level of assurance against accidently adding or removing members from our groups. This allows for better management of these groups, as well as protection against both accidents and malicious attackers that may infiltrate your network.