Computer Configuration\Windows Settings\Security Settings\Restricted Groups
Restricted groups allow an administrator to define two properties for security-sensitive groups (that is, "restricted" groups).
The two properties are Members and Member Of . The Members list defines who should and should not belong to the restricted group. The Member Of list specifies which other groups the restricted group should belong to.
When a restricted Group Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list which is not currently a member of the restricted group is added.
The Restricted Groups folder is available only in Group Policy objects associated with domains, OUs, and sites. The Restricted Groups folder does not appear in the Local Computer Policy object.
If a Restricted Group is defined such that it has no members (that is, the Members list is empty), then all members of the group are removed when the policy is enforced on the system. If the Member Of list is empty no changes are made to any groups that the restricted group belongs to. In short, an empty Members list means the restricted group should have no members while an empty Member Of list means "don't care" what groups the restricted group belongs to.