At first you right click on Restricted Groups and select “Add Group”.
What you get is the default window to choose a group, either from your domain or maybe from your local computer depending on what configuration you want.
Now you have two different choices of what you want to do with the group you selected. Either you use “Members of this group” or “This group is a member of”. The differences of these choices are big so I explain in two steps.
Members of this group
This is the choice you make when you want to add users to a group. What you select here is what you will see on your computers affected by this policy. So if you for example want to add a user to the local admin group on the computers then don’t forget to add administrator also or the administrator account will be removed from the local administrators group on the computers.
This group is a member of
This choice you can use if you want to add your selected group into another group. So what you can tell is that this is the opposite of what you defined in choice 1 described above. This is also not something that will override any other configuration you have done. So if you in first choice selected “Authenticated Users” and with this option select that it will be added to the “Administrators group” any other user you might have added to the group (manually perhaps) won’t be overwritten by this choice.
To summarize this it’s fairly easy to use Restricted Groups and it’s also the easiest way to add/remove users in groups and you can control it in a much better way than you ever can doing this manually. If you are doing this manually today it’s time to stop and using the right way instead.