Restricted groups, in the Default Domain Group Policy, allow you to define the Members and Member Of properties.
The Members list defines who should/should not belong to the restricted group. The Member Of list specifies which groups the restricted group should belong to.
When a Restricted Group policy is enforced, any current member of a restricted group that is not on the Members list is removed, with the exception of Administrator in the Administrators group. Any user on the Members list who is not currently a member of the restricted group is added.
With Member Of, the Restricted Group is NOT removed from other groups, but it is added if missing.
The Restricted groups policy can enforce membership of built-in or user-defined groups, both Global and Domain Local. When enforced, Restricted groups policy automatically sets any computers local group membership to match the membership list settings defined in the policy, overriding any changes made by the local computer's Administrator.
