How to Implement Restricted Groups in Windows NT

Windows 2000 offers a feature called Restricted Groups, applied via Security Settings in Group Policies, which allows to control group membership, i.e. restrict it to specific user accounts (and, in addition, restrict the group membership in other groups). Unfortunately, this feature is not available in Windows NT 4.0. However, with some extra scripting and use of native Windows NT Schedule service you can get closer to being able to control membership of highly sensitive, from security standpoint, groups (e.g. Domain Admins for your account domain).

Windows 2000 offers a feature called Restricted Groups, applied via Security Settings in Group Policies, which allows to control group membership, i.e. restrict it to specific user accounts (and, in addition, restrict the group membership in other groups)…

You will need to create a list of user accounts which are supposed to be included in the restricted group. I called this file Restricted.txt and typed accounts in separate lines.

In this script, I’m using VBScript with Windows Script Host and ADSI. The script uses ADSI to read the list of current user accounts in the monitored group, which means that NT machine on which script runs will need to have ADSI installed. For the installation files, check You’ll also need WSH downloadable from

The script reads the content of the file RestrictedList.txt, which contains
the list of users which are supposed to be included in the Restricted Group.
This list is compared to the actual group membership, checked via ADSI using
GetObject call. 
In case of discrepancy between the two, the intruders are removed using ADSI
Remove method, and this fact is logged in a text file with appropriate

This is a trimmed version of the script, without error checking, so make sure all your files are in place.

On Error Resume Next
DomainString = "MyDomainName"
		'*********** your domain name here ************
GroupString = "Restricted Group"
		'*********** name of restricted group ************
RLFileName = "RestrictedList.txt"
		'*********** file containing the restricted group userlist ************
RemFileName = "RemList.txt"
		'*********** file containing the list of users removed from the restricted group (for logging) ************
strList = ""
Set GroupObj = GetObject("WinNT://" & DomainString & "/" & GroupString)
		'*********** get the Group object for restricted group from your domain
Set WSHShell = CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
For each UserObj in GroupObj.Members
	Found = 0
	Set RLFile=FSO.OpenTextFile(RLFileName, FOR_READING, True) 
	Do While (Found = 0) and (Not RLFile.AtEndOfStream)
		strLine = RLFile.ReadLine
		If StrComp (strLine,UserObj.Name,1) = 0 Then
			Found = 1
		End If	
	If Found = 0 Then
		'************ the user account should not be in Restricted group *************
		strList = strList + UserObj.Name + vbNewLine
		GroupObj.Remove ("WinNT://" & DomainString & "/" & UserObj.Name)
		'************ remove the user from the group *************
	End If
If FSO.FileExists(RemFileName) Then
	Set RemFile = FSO.OpenTextFile(RemFileName, FOR_APPENDING, True)
	Set RemFile = FSO.CreateTextFile(RemFileName, True)
End If
If strList  "" Then
		'************ write timestamp and list of removed users to a log file *************
	RemFile.Write(Cstr(Now) + vbNewLine)
End If
		'************ Cleanup ************ 
Set RLFile = Nothing
Set GroupObj = Nothing
Set RemFile = Nothing
Set FSO = Nothing
Set WSHShell = Nothing

