Configuring Restricted Groups to manage Computer Local Groups
A great feature of group policies that commonly goes unused is restricted groups. Restricted groups Group Policy settings enable an administrator to manage the membership of local groups on domain member servers and workstations.
Unless the impact is completely understood and desired, never link a group policy with restricted group settings to a domain or a site object because the settings will be inherited by all computers in the domain or site, including domain controllers and Active Directory security groups. Managing Active Directory security groups using Group Policy restricted groups is not supported by Microsoft.
Restricted groups can be used to populate and control ...