Restricted Groups policy
You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. In addition, the reverse membership configuration option ensures that each Restricted Group is a member of only those groups specified in the Member Of column.
For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.
There are two ways to apply Restricted Groups policy:
Define the policy in a security template which will be applied during configuration on your local computer or when you import the security template to a Group Policy object.
Define the setting on a Group Policy object directly which would mean the policy would go into effect with the next refresh of policy. The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.
If a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators.
Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers.
Managing Security Templates
Create a Restricted Groups policy
Difference in default security settings