8.5. Restricted Groups
With a special security-related Group Policy function, you can use Restricted Groups to strictly control the following tasks:
The membership of security groups that you create in Active Directory
The security group membership on groups created on member machines (workstations or servers)
The security groups that are nested within each other
You might want to strictly control these security groups or nestings to make sure that users in other areas of Active Directory, say, other domain administrators, don't inadvertently add someone to a group that shouldn't be there. Here are some practical uses of this technology:
Ensure that the domain's Backup Operators group contains only Sally and Joe.
Ensure that the local Administrators ...