From 7d8440a5ab5d7d2cd5bdcf50f1897c3a1da581e3 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 5 May 2020 17:21:02 -0700 Subject: [PATCH 1/5] Added policy timeline --- .../mdm/policy-csp-restrictedgroups.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 8053b57d73..8f1b817cf8 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -154,6 +154,19 @@ The member SID can be a user account or a group in AD, Azure AD, or on the local +## Policy timeline + +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For the latest release of Windows 10, you can use name or SID for both the elements as described in this topic. + +The following table provides the timeline of this policy setting and describes its behavior in different Windows 10 versions: + +| Windows 10 version | Policy behavior | +| ------------------ | --------------- | +|Windows 10, version 1803 | Added the RestrictedGroups policy setting in Windows 10, version 1803.
XML accepts group and member only by name.
Supports configuring the administrators group using the group name.
Expects member name to be in the account name format. | +| Windows 10, version 1809
Windows 10, version 1903
Windows 10, version 1909 | Supports configuring any local group.
`` accepts only name.
`` accepts a name or an SID.
This is useful when you want to ensure a certain local group always has a well known SID as member. | +| The latest release of Windows 10 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate. | + +
From 614666dda642189ce370fbd6ca364a8af4c0d125 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 6 May 2020 11:26:06 -0700 Subject: [PATCH 2/5] More updates --- .../mdm/policy-csp-restrictedgroups.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 8f1b817cf8..50b2d50015 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -8,14 +8,14 @@ ms.technology: windows author: manikadhiman ms.localizationpriority: medium ms.date: 04/07/2020 - ms.reviewer: manager: dansimp --- # Policy CSP - RestrictedGroups - +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -154,15 +154,15 @@ The member SID can be a user account or a group in AD, Azure AD, or on the local -## Policy timeline +### Policy timeline -The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For the latest release of Windows 10, you can use name or SID for both the elements as described in this topic. +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For the latest release of Windows 10, you can use name or SID for both the elements, as described in this topic. -The following table provides the timeline of this policy setting and describes its behavior in different Windows 10 versions: +The following table describes how this policy setting behaves in different Windows 10 versions: | Windows 10 version | Policy behavior | | ------------------ | --------------- | -|Windows 10, version 1803 | Added the RestrictedGroups policy setting in Windows 10, version 1803.
XML accepts group and member only by name.
Supports configuring the administrators group using the group name.
Expects member name to be in the account name format. | +|Windows 10, version 1803 | Added this policy setting.
XML accepts group and member only by name.
Supports configuring the administrators group using the group name.
Expects member name to be in the account name format. | | Windows 10, version 1809
Windows 10, version 1903
Windows 10, version 1909 | Supports configuring any local group.
`` accepts only name.
`` accepts a name or an SID.
This is useful when you want to ensure a certain local group always has a well known SID as member. | | The latest release of Windows 10 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate. | From 264706df1a857ae0c4ceab0624cc76dc623c7e5e Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 7 May 2020 13:35:50 -0700 Subject: [PATCH 3/5] Added dev feedback --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 50b2d50015..a6b2c093d8 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -145,8 +145,7 @@ Here's an example: ``` where: - `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. -- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. -The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. For best results, use SID for ``. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - In this example, `Group1` and `Group2` are local groups on the device being configured. > [!Note] @@ -179,5 +178,6 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in the next major release of Windows 10. From d9ad5352f74402c6fefc754894c32a94423d78bd Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 7 May 2020 13:59:34 -0700 Subject: [PATCH 4/5] minor update --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index a6b2c093d8..1f05b67536 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -178,6 +178,5 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. -- 7 - Added in the next major release of Windows 10. From 38c8ffe57d828083029de698ac8a1c541632384d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 11 May 2020 16:53:32 -0700 Subject: [PATCH 5/5] Grammar fixes --- .../client-management/mdm/policy-csp-restrictedgroups.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 1f05b67536..3b7a445092 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -15,7 +15,7 @@ manager: dansimp # Policy CSP - RestrictedGroups > [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> Some information in this article relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -86,7 +86,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > |----------|----------|----------|----------| > | 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | -Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. +Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group and should be used with caution. ```xml @@ -162,7 +162,7 @@ The following table describes how this policy setting behaves in different Windo | Windows 10 version | Policy behavior | | ------------------ | --------------- | |Windows 10, version 1803 | Added this policy setting.
XML accepts group and member only by name.
Supports configuring the administrators group using the group name.
Expects member name to be in the account name format. | -| Windows 10, version 1809
Windows 10, version 1903
Windows 10, version 1909 | Supports configuring any local group.
`` accepts only name.
`` accepts a name or an SID.
This is useful when you want to ensure a certain local group always has a well known SID as member. | +| Windows 10, version 1809
Windows 10, version 1903
Windows 10, version 1909 | Supports configuring any local group.
`` accepts only name.
`` accepts a name or an SID.
This is useful when you want to ensure a certain local group always has a well-known SID as member. | | The latest release of Windows 10 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate. |