From 2356919bc80192a62ca2172ca69eb524d06916a2 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Wed, 20 Jan 2021 16:56:10 +0530
Subject: [PATCH] Updated4797351

---
 .../mdm/policy-csp-localusersandgroups.md     | 127 +++++++++++++++---
 1 file changed, 107 insertions(+), 20 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index 38ef9aa0b9..d898c1a985 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -82,7 +82,7 @@ Available in Windows 10, version 20H2. This policy setting allows IT admins to a
 >
 > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. 
 
-Here's an example of the policy definition XML for group configuration:
+Here is an example of the policy definition XML for group configuration:
 
 ```xml
 <GroupConfiguration>
@@ -104,7 +104,9 @@ where:
 - `<remove member>`: Specifies the SID or name of the member to remove from the specified group.
 
     > [!NOTE]
-    > When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. 
+    > When specifying member names of the user accounts, you must use following format – AzureAD/userUPN. For example, "AzureAD/user1@contoso.com" or "AzureAD/user2@contoso.co.uk". 
+For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy.
+for more information, see [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).  
 
 See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
 
@@ -121,35 +123,51 @@ See [Use custom settings for Windows 10 devices in Intune](https://docs.microsof
 
 **Examples**
 
-Example 1: Update action for adding and removing group members.
+Example 1: AAD focused.
 
-The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**). 
+The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444. On an AAD joined machines**. 
+
+```xml
+<GroupConfiguration>
+    <accessgroup desc = "Administrators">
+        <group action = "U" />
+        <add member = "AzureAD\bob@contoso.com"/>
+        <add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
+    </accessgroup>
+</GroupConfiguration>
+```
+
+Example 2: Replace / Restrict the built-in administrators group with an AAD user account.
+
+> [!NOTE]
+> When using ‘R’ replace option to configure the built-in ‘Administrators’ group, it is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group.
+
+Example:
+```xml
+<GroupConfiguration>
+    <accessgroup desc = "Administrators">
+        <group action = "R" />
+        <add member = "AzureAD\bob@contoso.com"/>
+        <add member = "Administrator"/>
+    </accessgroup>
+</GroupConfiguration>
+```
+Example 3: Update action for adding and removing group members on a hybrid joined machine.
+
+The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
 
 ```xml
 <GroupConfiguration> 
-    <accessgroup desc = "Backup Operators"> 
+    <accessgroup desc = "Administrators"> 
         <group action = "U" /> 
         <add member = "Contoso\ITAdmins"/>
-        <add member = "S-1-5-32-544"/>
         <add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
         <remove member = "Guest"/> 
     </accessgroup> 
 </GroupConfiguration>
 ```
 
-Example 2: Restrict action for replacing the group membership.
 
-The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**).
-
-```xml
-<GroupConfiguration>
-    <accessgroup desc = "Backup Operators">
-        <group action = "R" />
-        <add member = "S-1-5-32-544"/>
-        <add member = "Guest"/>
-    </accessgroup>
-</GroupConfiguration>
-```
 <!--/Example-->
 <!--Validation-->
 
@@ -157,6 +175,16 @@ The following example shows how you can restrict a local group (**Backup Operato
 <!--/Policy-->
 <hr/>
 
+> [!NOTE]
+> 
+When AAD group SID’s are added to local groups, during AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
+ 
+- Administrators
+- Users
+- Guests
+- Power Users
+- Remote Desktop Users
+- Remote Management Users
 ## FAQs
 
 This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP. 
@@ -223,10 +251,69 @@ To troubleshoot Name/SID lookup APIs:
     ```cmd
     Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force
     ```
-
+```xml
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
+                          <xs:simpleType name="name">
+                            <xs:restriction base="xs:string">
+                              <xs:maxLength value="255" />
+                            </xs:restriction>
+                          </xs:simpleType>
+                          <xs:element name="accessgroup">
+                            <xs:complexType>
+                                <xs:sequence>
+                                    <xs:element name="group" minOccurs="1" maxOccurs="1">
+                                      <xs:annotation>
+                                        <xs:documentation>Group Configuration Action</xs:documentation>
+                                      </xs:annotation>
+                                      <xs:complexType>
+                                        <xs:attribute name="action" type="name" use="required"/>
+                                      </xs:complexType>
+                                    </xs:element>
+                                    <xs:element name="add" minOccurs="0" maxOccurs="unbounded">
+                                      <xs:annotation>
+                                        <xs:documentation>Group Member to Add</xs:documentation>
+                                      </xs:annotation>
+                                      <xs:complexType>
+                                        <xs:attribute name="member" type="name" use="required"/>
+                                      </xs:complexType>
+                                    </xs:element>
+                                    <xs:element name="remove" minOccurs="0" maxOccurs="unbounded">
+                                      <xs:annotation>
+                                        <xs:documentation>Group Member to Remove</xs:documentation>
+                                      </xs:annotation>
+                                      <xs:complexType>
+                                        <xs:attribute name="member" type="name" use="required"/>
+                                      </xs:complexType>
+                                    </xs:element>
+                                    <xs:element name="property" minOccurs="0" maxOccurs="unbounded">
+                                      <xs:annotation>
+                                        <xs:documentation>Group property to configure</xs:documentation>
+                                      </xs:annotation>
+                                      <xs:complexType>
+                                        <xs:attribute name="desc" type="name" use="required"/>
+                                        <xs:attribute name="value" type="name" use="required"/>
+                                      </xs:complexType>
+                                    </xs:element>
+                                  </xs:sequence>
+                              <xs:attribute name="desc" type="name" use="required"/>
+                            </xs:complexType>
+                          </xs:element>
+                          <xs:element name="GroupConfiguration">
+                            <xs:complexType>
+                              <xs:sequence>
+                                <xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
+                                  <xs:annotation>
+                              <xs:documentation>Local Group Configuration</xs:documentation>
+                            </xs:annotation>
+                                </xs:element>
+                              </xs:sequence>
+                            </xs:complexType>
+                          </xs:element>
+                      </xs:schema>
+```
 
 Footnotes:
 
-- 9 - Available in Windows 10, version 20H2.
+Available in Windows 10, version 20H2
 
 <!--/Policies-->