deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Updated4797351

Browse Source
This commit is contained in:
nimishasatapathy 2021-01-20 16:56:10 +05:30
parent c8798b2ab5
commit 2356919bc8
1 changed files with 107 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
windows/client-management/mdm/policy-csp-localusersandgroups.md
View File

@ -82,7 +82,7 @@ Available in Windows 10, version 20H2. This policy setting allows IT admins to a
> >
> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
Here's an example of the policy definition XML for group configuration: Here is an example of the policy definition XML for group configuration:
```xml ```xml
<GroupConfiguration> <GroupConfiguration>
@ -104,7 +104,9 @@ where:
- `<remove member>`: Specifies the SID or name of the member to remove from the specified group. - `<remove member>`: Specifies the SID or name of the member to remove from the specified group.
> [!NOTE] > [!NOTE]
> When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. > When specifying member names of the user accounts, you must use following format AzureAD/userUPN. For example, "AzureAD/user1@contoso.com" or "AzureAD/user2@contoso.co.uk".
For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy.
for more information, see [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).
See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
@ -121,35 +123,51 @@ See [Use custom settings for Windows 10 devices in Intune](https://docs.microsof
**Examples** **Examples**
Example 1: Update action for adding and removing group members. Example 1: AAD focused.
The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**). The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444. On an AAD joined machines**.
```xml
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "U" />
<add member = "AzureAD\bob@contoso.com"/>
<add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
</accessgroup>
</GroupConfiguration>
```
Example 2: Replace / Restrict the built-in administrators group with an AAD user account.
> [!NOTE]
> When using R replace option to configure the built-in Administrators group, it is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group.
Example:
```xml
<GroupConfiguration>
<accessgroup desc = "Administrators">
<group action = "R" />
<add member = "AzureAD\bob@contoso.com"/>
<add member = "Administrator"/>
</accessgroup>
</GroupConfiguration>
```
Example 3: Update action for adding and removing group members on a hybrid joined machine.
The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
```xml ```xml
<GroupConfiguration> <GroupConfiguration>
<accessgroup desc = "Backup Operators"> <accessgroup desc = "Administrators">
<group action = "U" /> <group action = "U" />
<add member = "Contoso\ITAdmins"/> <add member = "Contoso\ITAdmins"/>
<add member = "S-1-5-32-544"/>
<add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/> <add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
<remove member = "Guest"/> <remove member = "Guest"/>
</accessgroup> </accessgroup>
</GroupConfiguration> </GroupConfiguration>
``` ```
Example 2: Restrict action for replacing the group membership.
The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**).
```xml
<GroupConfiguration>
<accessgroup desc = "Backup Operators">
<group action = "R" />
<add member = "S-1-5-32-544"/>
<add member = "Guest"/>
</accessgroup>
</GroupConfiguration>
```
<!--/Example--> <!--/Example-->
<!--Validation--> <!--Validation-->
@ -157,6 +175,16 @@ The following example shows how you can restrict a local group (**Backup Operato
<!--/Policy--> <!--/Policy-->
<hr/> <hr/>
> [!NOTE]
>
When AAD group SIDs are added to local groups, during AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
- Administrators
- Users
- Guests
- Power Users
- Remote Desktop Users
- Remote Management Users
## FAQs ## FAQs
This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP. This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP.
@ -223,10 +251,69 @@ To troubleshoot Name/SID lookup APIs:
```cmd ```cmd
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force
``` ```
```xml
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
<xs:simpleType name="name">
<xs:restriction base="xs:string">
<xs:maxLength value="255" />
</xs:restriction>
</xs:simpleType>
<xs:element name="accessgroup">
<xs:complexType>
<xs:sequence>
<xs:element name="group" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Group Configuration Action</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="action" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="add" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Add</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="remove" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Remove</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="property" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group property to configure</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="desc" type="name" use="required"/>
<xs:attribute name="value" type="name" use="required"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="desc" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="GroupConfiguration">
<xs:complexType>
<xs:sequence>
<xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Local Group Configuration</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
```
Footnotes: Footnotes:
- 9 - Available in Windows 10, version 20H2. Available in Windows 10, version 20H2
<!--/Policies--> <!--/Policies-->