Windows 2000 offers a feature called Restricted Groups, applied via Security Settings in Group Policies, which allows to control group membership, i.e. restrict it to specific user accounts (and, in addition, restrict the group membership in other groups). Unfortunately, this feature is not available in Windows NT 4.0. However, with some extra scripting and use of native Windows NT Schedule service you can get closer to being able to control membership of highly sensitive, from security standpoint, groups (e.g. Domain Admins for your account domain).
Windows 2000 offers a feature called Restricted Groups, applied via Security Settings in Group Policies, which allows to control group membership, i.e. restrict it to specific user accounts (and, in addition, restrict the group membership in other groups)…
You will need to create a list of user accounts which are supposed to be included in the restricted group. I called this file Restricted.txt and typed accounts in separate lines.
In this script, I’m using VBScript with Windows Script Host and ADSI. The script uses ADSI to read the list of current user accounts in the monitored group, which means that NT machine on which script runs will need to have ADSI installed. For the installation files, check http://www.microsoft.com/ntserver/nts/downloads/other/adsi25/. You’ll also need WSH downloadable from http://msdn.microsoft.com/library/default.asp?url=/downloads/list/webdev.asp
The script reads the content of the file RestrictedList.txt, which contains
the list of users which are supposed to be included in the Restricted Group.
This list is compared to the actual group membership, checked via ADSI using
GetObject call.
In case of discrepancy between the two, the intruders are removed using ADSI
Remove method, and this fact is logged in a text file with appropriate
timestamp.
This is a trimmed version of the script, without error checking, so make sure all your files are in place.
On Error Resume Next
Const FOR_READING = 1 Const FOR_WRITING = 2 Const FOR_APPENDING = 8
DomainString = "MyDomainName" '*********** your domain name here ************ GroupString = "Restricted Group" '*********** name of restricted group ************ RLFileName = "RestrictedList.txt" '*********** file containing the restricted group userlist ************ RemFileName = "RemList.txt" '*********** file containing the list of users removed from the restricted group (for logging) ************ strList = ""
Set GroupObj = GetObject("WinNT://" & DomainString & "/" & GroupString)
'*********** get the Group object for restricted group from your domain
Set WSHShell = CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
For each UserObj in GroupObj.Members
Found = 0
Set RLFile=FSO.OpenTextFile(RLFileName, FOR_READING, True)
Do While (Found = 0) and (Not RLFile.AtEndOfStream)
strLine = RLFile.ReadLine
If StrComp (strLine,UserObj.Name,1) = 0 Then
Found = 1
End If
Loop
If Found = 0 Then
'************ the user account should not be in Restricted group *************
strList = strList + UserObj.Name + vbNewLine
GroupObj.Remove ("WinNT://" & DomainString & "/" & UserObj.Name)
'************ remove the user from the group *************
End If
RLFile.Close
Next
If FSO.FileExists(RemFileName) Then Set RemFile = FSO.OpenTextFile(RemFileName, FOR_APPENDING, True) Else Set RemFile = FSO.CreateTextFile(RemFileName, True) End If
If strList "" Then '************ write timestamp and list of removed users to a log file ************* RemFile.Write(Cstr(Now) + vbNewLine) RemFile.Write(strList) RemFile.WriteBlankLines(1) End If
'************ Cleanup ************ RemFile.Close
Set RLFile = Nothing Set GroupObj = Nothing Set RemFile = Nothing Set FSO = Nothing Set WSHShell = Nothing
Marcin Policht obtained his Master of Computer Science degree about 20 years ago and has been since then working in the Information Technology field, handling variety of responsibilities, but focusing primarily on the areas of identity and access management, virtualization, system management, and, more recently private, hybrid, and public cloud services. He has authored the first book dedicated to Windows Management Instrumentation and co-written several others dealing with subjects ranging from core operating system features to high-availability solutions. His articles have been published on such Web sites as ServerWatch.com and DatabaseJournal.com. For his contributions to the Microsoft technical community, he has been awarded the title of Microsoft MVP over the last ten years.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
