They are not a group type but is a security policy to enforce group
membership on domain computers under the scope of influence of the policy.
For instance you could create an Organizational Unit and add a Group Policy
Object to that OU to implement restricted groups. Then you could configure
it for instance for administrators and add just the domain admins group.
That would insure that the domain admins group remains in the local
administrators group on those domain computers and if other users or groups
are added they will be removed when security policy is refreshed. --- Steve
