DO NOT DO IT!
JUST STOP!
DON’T!!!
NO!!!
It is such a bad idea and it isn’t security. You want security, clean up access rights so the wrong people can’t modify the groups in the first place. If you don’t trust your admins, you need to fire them and get admins you do trust.
Here is what Microsoft has to say about it:
Managing membership of Domain Groups by using Restricted Groups
Microsoft does not support using Restricted Groups in this scenario. Restricted Groups is a client configuration means and cannot be used with Domain Groups. Restricted Groups is designed specifically to work with Local Groups. Domain objects have to be managed within traditional AD tools. Therefore, we do not plan currently to add or support using Restricted Groups as a way to manage Domain Groups.
https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups
Seriously… Don’t do it.
joe
