From 3e341922b4d1dd26c283a7720564b818edca9bfe Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 8 Oct 2020 16:51:49 -0700 Subject: [PATCH 01/17] Added content --- .../mdm/policy-csp-localusersandgroups.md | 214 ++++++++++++++++++ 1 file changed, 214 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-localusersandgroups.md diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md new file mode 100644 index 0000000000..4b24a8b44c --- /dev/null +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -0,0 +1,214 @@ +--- +title: Policy CSP - LocalUsersAndGroups +description: Policy CSP - LocalUsersAndGroups +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 10/08/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - LocalUsersAndGroups + + +
+ + +## LocalUsersAndGroups policies + +
+
+ LocalUsersAndGroups/Configure +
+
+ + +
+ + +**LocalUsersAndGroups/Configure** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark4
Businesscheck mark4
Enterprisecheck mark4
Educationcheck mark4
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +The RestrictedGroups/ConfigureGroupMembership policy setting allows administrators to configure members (users or AAD groups) to a Windows 10 local group. However, RG policy has a limitation that it only allows for a full replace of the existing groups with the new members and does not allow selective add/remove. This limitation causes scalability issues for Intune to implement the policy in its current format. In addition, it restricts customers from enabling scenarios and attain parity with on-premises group management. As a result, this policy limitation delays the GA of the local admin rights scenario for AAD Joined devices. + +On-premises AD offers more flexibility in managing local groups using the Local Users and Groups (LUG) GPP. RG GPO is not meant to provide granularity in selectively removing existing members or adding new ones. Enabling capabilities in LUG GPP into RG MDM policy would create confusion for customers who’re accustomed to the on-premises polices and preferences, and how they’re used. So, it’s beneficial in the long-term to build a new MDM policy that provides customers granularity for managing local users and groups from the cloud, instead of overriding the RG policy. In addition, this new policy allows for further improvements without altering the meaning of the RG policy. + +This policy setting allows administrators to manage local groups on a device. + + +```xml + + + + + + + + + + + + Group Configuration Action + + + + + + + + Group Member to Add + + + + + + + + Group Member to Remove + + + + + + + + Group property to configure + + + + + + + + + + + + + + + + Local Group Configuration + + + + + + +``` + + +This policy setting has two top level actions: + +- Update represented by U +- Replace represented R +We can have 2 verbs - Add Member, Remove Member for specific local group - to modify local group setting + +Add member and Remove member can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using Graph API for Groups. The SID is present in the attribute "securityIdentifier". + + + +Example to add and remove group members + +```xml + + + + + + + + + +Example to replace group membership + +```xml + + + + + + + + +``` +Action Consequences + +U: Update Group: Add/Remove specified members. + +o Add Member = contains name or SID + +o Remove Member = contains name or SID (remove wins if a sid is specified in both due to order of processing + +o MemberOf / group nesting can be achieved by specifying the group in Add Member of another group + +§ ‘R’ : Replace group membership provides the same functionality as Restricted Groups. + +§ Replace operation takes precedence over Update. Thus, if a group appears twice in the XML, once with ‘U’ and once with ‘R’ , Replace wins. This is behaviour in parity with on prem. + +§ Remove member is not valid for ‘R’ Replace operation and will be ignored if present. + +§ The list given in the XML is processed in the order given with the exception of ‘R’ actions which get processed last to ensure they win. That also means that if a group is present multiple times with different add/remove values, all of them will processed in the order of presence. + + + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + From 9c0263424bcffc148283206e95143847950b99ff Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 9 Oct 2020 16:25:41 -0700 Subject: [PATCH 02/17] Added new policy --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policy-csp-localusersandgroups.md | 131 ++++++------------ 2 files changed, 40 insertions(+), 92 deletions(-) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 201773d50c..731994549a 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -267,6 +267,7 @@ #### [LanmanWorkstation](policy-csp-lanmanworkstation.md) #### [Licensing](policy-csp-licensing.md) #### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) +#### [LocalUsersAndGroups](policy-csp-localusersandgroups.md) #### [LockDown](policy-csp-lockdown.md) #### [Maps](policy-csp-maps.md) #### [Messaging](policy-csp-messaging.md) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 4b24a8b44c..ad23d974f1 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -44,19 +44,19 @@ manager: dansimp Pro - check mark4 + check mark9 Business - check mark4 + check mark9 Enterprise - check mark4 + check mark9 Education - check mark4 + check mark9 @@ -73,86 +73,48 @@ manager: dansimp -The RestrictedGroups/ConfigureGroupMembership policy setting allows administrators to configure members (users or AAD groups) to a Windows 10 local group. However, RG policy has a limitation that it only allows for a full replace of the existing groups with the new members and does not allow selective add/remove. This limitation causes scalability issues for Intune to implement the policy in its current format. In addition, it restricts customers from enabling scenarios and attain parity with on-premises group management. As a result, this policy limitation delays the GA of the local admin rights scenario for AAD Joined devices. +This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. -On-premises AD offers more flexibility in managing local groups using the Local Users and Groups (LUG) GPP. RG GPO is not meant to provide granularity in selectively removing existing members or adding new ones. Enabling capabilities in LUG GPP into RG MDM policy would create confusion for customers who’re accustomed to the on-premises polices and preferences, and how they’re used. So, it’s beneficial in the long-term to build a new MDM policy that provides customers granularity for managing local users and groups from the cloud, instead of overriding the RG policy. In addition, this new policy allows for further improvements without altering the meaning of the RG policy. - -This policy setting allows administrators to manage local groups on a device. +> [!NOTE] +> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. +Here's an example of the policy definition XML for group configuration: ```xml - - - - - - - - - - - - Group Configuration Action - - - - - - - - Group Member to Add - - - - - - - - Group Member to Remove - - - - - - - - Group property to configure - - - - - - - - - - - - - - - - Local Group Configuration - - - - - - + + + + + + + + + ``` + +where: + +- ``: Specifies the name or SID of the local group to configure. +- ``: Specifies the action to take on the local group, which can be Update and Replace, represented by U and R: + - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. + - Replace. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as that of the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting. +- ``: Specifies the SID or name of the member to configure. +- ``: Specifies the SID or name of the member to remove from the specified group. +- ``: (Optional and not supported currently). This element is reserved for the future use to update group properties, such as group name as part of an update action. + +> [!IMPORTANT] +> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using Graph API for Groups. The SID is present in the `securityIdentifier` attribute. +> - This policy setting does not support the MemberOf functionality. However, you can add a domain group as a member to a local group by specifying the group in `` of another group. +> - The R (Replace) action takes precedence over U (Update). Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins. +> - Remove member is not valid for the R (Replace) action and will be ignored if present. +> - The list in the XML is processed in the given order with the exception of R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order of presence. + -This policy setting has two top level actions: - -- Update represented by U -- Replace represented R -We can have 2 verbs - Add Member, Remove Member for specific local group - to modify local group setting - -Add member and Remove member can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using Graph API for Groups. The SID is present in the attribute "securityIdentifier". -Example to add and remove group members +**Example: Add and remove group members** ```xml @@ -163,8 +125,9 @@ Example to add and remove group members +``` -Example to replace group membership +**Example: Replace group membership** ```xml @@ -176,23 +139,6 @@ Example to replace group membership ``` -Action Consequences - -U: Update Group: Add/Remove specified members. - -o Add Member = contains name or SID - -o Remove Member = contains name or SID (remove wins if a sid is specified in both due to order of processing - -o MemberOf / group nesting can be achieved by specifying the group in Add Member of another group - -§ ‘R’ : Replace group membership provides the same functionality as Restricted Groups. - -§ Replace operation takes precedence over Update. Thus, if a group appears twice in the XML, once with ‘U’ and once with ‘R’ , Replace wins. This is behaviour in parity with on prem. - -§ Remove member is not valid for ‘R’ Replace operation and will be ignored if present. - -§ The list given in the XML is processed in the order given with the exception of ‘R’ actions which get processed last to ensure they win. That also means that if a group is present multiple times with different add/remove values, all of them will processed in the order of presence. @@ -210,5 +156,6 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 10 - Available in Windows 10, version 2010. From 445dfb7769cec7febbe060cd176780ceb9a6a71c Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 9 Oct 2020 16:34:41 -0700 Subject: [PATCH 03/17] minor update --- .../client-management/mdm/policy-csp-localusersandgroups.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index ad23d974f1..a35238bce5 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -114,7 +114,8 @@ where: -**Example: Add and remove group members** +**Examples** +The following is an example of the Update action for adding and removing group members: ```xml @@ -127,7 +128,7 @@ where: ``` -**Example: Replace group membership** +The following is an example of the Replace action for replacing the group membership: ```xml From 2a24a63919219209e1afe32f2daad4dfba66de07 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 9 Oct 2020 16:35:21 -0700 Subject: [PATCH 04/17] minor update --- windows/client-management/mdm/policy-csp-localusersandgroups.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index a35238bce5..d7592b04d9 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -115,6 +115,7 @@ where: **Examples** + The following is an example of the Update action for adding and removing group members: ```xml From 8e7fb0a6d6e7654fed297b1938e5244b4b03cea4 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 9 Oct 2020 16:42:48 -0700 Subject: [PATCH 05/17] minor update --- .../client-management/mdm/policy-csp-localusersandgroups.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index d7592b04d9..16f2270f38 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -116,7 +116,7 @@ where: **Examples** -The following is an example of the Update action for adding and removing group members: +The following is an example XML for the Update action to add and remove group members: ```xml @@ -129,7 +129,7 @@ The following is an example of the Update action for adding and removing group m ``` -The following is an example of the Replace action for replacing the group membership: +The following is an example XML for the Replace action to replace the group membership: ```xml From 2114878464c89ec5e8b83686815e7c7ef02505b3 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 9 Oct 2020 16:52:19 -0700 Subject: [PATCH 06/17] Updated footnote --- windows/client-management/mdm/policy-csp-localusersandgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 16f2270f38..6071b02812 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -158,6 +158,6 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. -- 10 - Available in Windows 10, version 2010. +- 9 - Available in Windows 10, version 2010. From c2f95f39581eb21f50676ed330bf486ceeba8fe7 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 9 Oct 2020 17:00:35 -0700 Subject: [PATCH 07/17] Minor update --- .../client-management/mdm/policy-csp-localusersandgroups.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 6071b02812..cf1c048025 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -116,7 +116,7 @@ where: **Examples** -The following is an example XML for the Update action to add and remove group members: +Update action for adding and removing group members: ```xml @@ -129,7 +129,7 @@ The following is an example XML for the Update action to add and remove group me ``` -The following is an example XML for the Replace action to replace the group membership: +Replace action for replacing the group membership: ```xml From 9019f40b5cd2e0f9ce6ff75a1bcf7a877290cc3f Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 12 Oct 2020 14:36:15 -0700 Subject: [PATCH 08/17] Added feedback --- .../mdm/policy-csp-localusersandgroups.md | 106 ++++++++++++++---- .../mdm/policy-csp-restrictedgroups.md | 2 + 2 files changed, 86 insertions(+), 22 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index cf1c048025..1a6f501761 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -81,33 +81,31 @@ This policy setting allows IT admins to add, remove, or replace members of local Here's an example of the policy definition XML for group configuration: ```xml - - - - - - - - - + + + + + + + ``` where: -- ``: Specifies the name or SID of the local group to configure. -- ``: Specifies the action to take on the local group, which can be Update and Replace, represented by U and R: +- ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to look up the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. +- ``: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R: - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. - - Replace. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as that of the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting. + - Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting. - ``: Specifies the SID or name of the member to configure. - ``: Specifies the SID or name of the member to remove from the specified group. -- ``: (Optional and not supported currently). This element is reserved for the future use to update group properties, such as group name as part of an update action. + +See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. > [!IMPORTANT] -> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using Graph API for Groups. The SID is present in the `securityIdentifier` attribute. -> - This policy setting does not support the MemberOf functionality. However, you can add a domain group as a member to a local group by specifying the group in `` of another group. -> - The R (Replace) action takes precedence over U (Update). Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins. -> - Remove member is not valid for the R (Replace) action and will be ignored if present. -> - The list in the XML is processed in the given order with the exception of R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order of presence. +> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](https://docs.microsoft.com/graph/api/resources/group?view=graph-rest-1.0#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute. +> - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct. +> - Remove member is not valid for the R (Restrict) action and will be ignored if present. +> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order of presence. @@ -116,10 +114,9 @@ where: **Examples** -Update action for adding and removing group members: +Example: Update action for adding and removing group members: ```xml - @@ -129,10 +126,9 @@ Update action for adding and removing group members: ``` -Replace action for replacing the group membership: +Example: Restrict action for replacing the group membership: ```xml - @@ -148,6 +144,72 @@ Replace action for replacing the group membership:
+## FAQs + +### What happens if I accidentally remove the built-in Administrator SID from the Administrators group? + +Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error: + +| Error Code | Symbolic Name | Error Description | Header | +|----------|----------|----------|----------| +| 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | + +When configuring the built-in Administrators group with the R (Restrict) action, specify the built-in Administrator account SID/Name in `` to avoid this error. + +### Can I add a member that already exists? + +Yes, you can add a member that is already a member of a group. + +### Can I remove a member if it isn't a member of the group? + +Yes, you can remove a member even if it isn't a member of the group. + +### How can I add a domain group as a member to a local group? + +To add a domain group as a member to a local group, specify the domain group in `` of the local group. + +### Can I apply more than one LocalUserAndGroups policy/XML to the same device? + +No, this is not allowed. Attempting to do so will result in a conflict in Intune. + +### What happens if I specify a group name that doesn't exist? + +Invalid group names or SIDs will be skipped. Valid parts of the policy will apply, and error will be returned at the end of the processing. This behavior aligns with the on-prem AD GPP (Group Policy Preferences) LocalUsersAndGroups policy. Similarly, invalid member names will be skipped, and error will be returned at the end to notify that not all settings were applied successfully. + +### What happens if I specify R and U in the same XML? + +If you specify both R and U in the same XML, the R (Restrict) action takes precedence over U (Update). Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins. + +### How do I check the result of a policy that is applied on the client device? + +After a policy is applied on the client device, you can investigate the event log to review the result: + +1. Open Event Viewer (**eventvwr.exe**). +2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise- +Diagnostics-Provider** > **Admin**. +3. Search for the `LocalUsersAndGroups` string to review the relevant details. + +### How can I troubleshoot Name/SID lookup APIs? + +To troubleshoot Name/SID lookup APIs: + +1. Enable **lsp.log** on the client device by running the following commands: + + ```cmd + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force + + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force + ``` + + The **lsp.log** file (**C:\windows\debug\lsp.log**) will be displayed. This log file tracks the SID-Name resolution. + +2. Turn the logging off by running the following command: + + ```cmd + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force + ``` + + Footnotes: - 1 - Available in Windows 10, version 1607. diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 67cb225555..c3abcd5e81 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -14,6 +14,8 @@ manager: dansimp # Policy CSP - RestrictedGroups +> [!IMPORTANT] +> It is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group.
From 332fd77e726cb1243f4002d8a68d00fb31077633 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 12 Oct 2020 14:54:26 -0700 Subject: [PATCH 09/17] Added minor updates --- .../mdm/policy-csp-localusersandgroups.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 1a6f501761..8ecc007352 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -14,6 +14,8 @@ manager: dansimp # Policy CSP - LocalUsersAndGroups +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -92,7 +94,7 @@ Here's an example of the policy definition XML for group configuration: where: -- ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to look up the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. +- ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. - ``: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R: - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. - Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting. @@ -104,8 +106,8 @@ See [Use custom settings for Windows 10 devices in Intune](https://docs.microsof > [!IMPORTANT] > - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](https://docs.microsoft.com/graph/api/resources/group?view=graph-rest-1.0#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute. > - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct. -> - Remove member is not valid for the R (Restrict) action and will be ignored if present. -> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order of presence. +> - `` is not valid for the R (Restrict) action and will be ignored if present. +> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. From 79f9bf062a38e82512203b520b02af2345ef096b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 13 Oct 2020 10:26:19 -0700 Subject: [PATCH 10/17] More dev feedback --- .../mdm/policy-csp-localusersandgroups.md | 35 ++++++++++--------- .../mdm/policy-csp-restrictedgroups.md | 3 +- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 8ecc007352..b4c718472b 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -75,16 +75,18 @@ manager: dansimp -This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. +Available in Windows 10, version 2010. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. > [!NOTE] > The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. +> +> Starting from Windows 10, version 2010, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. Here's an example of the policy definition XML for group configuration: ```xml - + @@ -101,6 +103,9 @@ where: - ``: Specifies the SID or name of the member to configure. - ``: Specifies the SID or name of the member to remove from the specified group. + > [!NOTE] + > When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). Doing so prevents getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. + See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. > [!IMPORTANT] @@ -116,19 +121,25 @@ See [Use custom settings for Windows 10 devices in Intune](https://docs.microsof **Examples** -Example: Update action for adding and removing group members: +Example: Update action for adding and removing group members. + +The following example shows how you can update a local group (**Backup Operators**), add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-5-32-678909-99338456-74654332**), and remove a local account (**Guest**). ```xml - + + + ``` -Example: Restrict action for replacing the group membership: +Example: Restrict action for replacing the group membership. + +The following example shows how you can restrict a local group (**Backup Operators**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), and add a local account (**Guest**). ```xml @@ -160,15 +171,15 @@ When configuring the built-in Administrators group with the R (Restrict) action, ### Can I add a member that already exists? -Yes, you can add a member that is already a member of a group. +Yes, you can add a member that is already a member of a group. This will result in no changes to the group and no error. ### Can I remove a member if it isn't a member of the group? -Yes, you can remove a member even if it isn't a member of the group. +Yes, you can remove a member even if it isn't a member of the group. This will result in no changes to the group and no error. ### How can I add a domain group as a member to a local group? -To add a domain group as a member to a local group, specify the domain group in `` of the local group. +To add a domain group as a member to a local group, specify the domain group in `` of the local group. Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. ### Can I apply more than one LocalUserAndGroups policy/XML to the same device? @@ -214,14 +225,6 @@ To troubleshoot Name/SID lookup APIs: Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. - 9 - Available in Windows 10, version 2010. diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index c3abcd5e81..b840169332 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -15,7 +15,8 @@ manager: dansimp # Policy CSP - RestrictedGroups > [!IMPORTANT] -> It is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. +> Starting from Windows 10, version 2010, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results. +
From 4b35add1f5f430df9e2c7fa9663b8fd42e5b4672 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 13 Oct 2020 10:41:40 -0700 Subject: [PATCH 11/17] more updates --- .../client-management/mdm/policy-csp-localusersandgroups.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index b4c718472b..df63868bf6 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -80,7 +80,7 @@ Available in Windows 10, version 2010. This policy setting allows IT admins to a > [!NOTE] > The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. > -> Starting from Windows 10, version 2010, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. +> Starting from Windows 10, version 2010, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. Here's an example of the policy definition XML for group configuration: @@ -145,7 +145,7 @@ The following example shows how you can restrict a local group (**Backup Operato - + From 79c126b57deb5c5f19d07abf5627561fffe3a59e Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 13 Oct 2020 10:48:39 -0700 Subject: [PATCH 12/17] minor update --- windows/client-management/mdm/policy-csp-localusersandgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index df63868bf6..23c7e11095 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -104,7 +104,7 @@ where: - ``: Specifies the SID or name of the member to remove from the specified group. > [!NOTE] - > When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). Doing so prevents getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. + > When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. From de9da5d2a587e3943ec3856a16d62fe127706dfa Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 13 Oct 2020 11:03:30 -0700 Subject: [PATCH 13/17] minor update --- windows/client-management/mdm/policy-csp-localusersandgroups.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 23c7e11095..9c6fbf6968 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -159,6 +159,8 @@ The following example shows how you can restrict a local group (**Backup Operato ## FAQs +This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP. + ### What happens if I accidentally remove the built-in Administrator SID from the Administrators group? Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error: From 430c7f3203447987b329f261c9d0eae814a1161e Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 14 Oct 2020 12:06:02 -0700 Subject: [PATCH 14/17] Added final review comments --- .../mdm/policy-csp-localusersandgroups.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 9c6fbf6968..c3d3514c3d 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 10/08/2020 +ms.date: 10/14/2020 ms.reviewer: manager: dansimp --- @@ -123,7 +123,7 @@ See [Use custom settings for Windows 10 devices in Intune](https://docs.microsof Example: Update action for adding and removing group members. -The following example shows how you can update a local group (**Backup Operators**), add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-5-32-678909-99338456-74654332**), and remove a local account (**Guest**). +The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**). ```xml @@ -131,7 +131,7 @@ The following example shows how you can update a local group (**Backup Operators - + @@ -139,7 +139,7 @@ The following example shows how you can update a local group (**Backup Operators Example: Restrict action for replacing the group membership. -The following example shows how you can restrict a local group (**Backup Operators**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), and add a local account (**Guest**). +The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**). ```xml @@ -173,7 +173,7 @@ When configuring the built-in Administrators group with the R (Restrict) action, ### Can I add a member that already exists? -Yes, you can add a member that is already a member of a group. This will result in no changes to the group and no error. +Yes, you can add a member that is already a member of a group. This will result in no changes to the group and no error. ### Can I remove a member if it isn't a member of the group? From bd26603880a30247ebbfe0cfa104910eef271670 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 14 Oct 2020 12:25:28 -0700 Subject: [PATCH 15/17] minor change to trigger build --- windows/client-management/mdm/policy-csp-localusersandgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index c3d3514c3d..77a2e774dc 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 10/14/2020 +ms.date: 10/13/2020 ms.reviewer: manager: dansimp --- From a2556154620fb0bd1510b24758d7cfa0387587d6 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 14 Oct 2020 12:44:12 -0700 Subject: [PATCH 16/17] Minor update --- .../client-management/mdm/policy-csp-localusersandgroups.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 77a2e774dc..c39ea8c4a3 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -121,7 +121,7 @@ See [Use custom settings for Windows 10 devices in Intune](https://docs.microsof **Examples** -Example: Update action for adding and removing group members. +Example 1: Update action for adding and removing group members. The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**). @@ -137,7 +137,7 @@ The following example shows how you can update a local group (**Backup Operators ``` -Example: Restrict action for replacing the group membership. +Example 2: Restrict action for replacing the group membership. The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**). From f8f4e9a5c2b818167d0ae9da94016b110152aca9 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 14 Oct 2020 16:49:00 -0700 Subject: [PATCH 17/17] Minor update to trigger build --- windows/client-management/mdm/policy-csp-localusersandgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index c39ea8c4a3..a192f2c35f 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 10/13/2020 +ms.date: 10/14/2020 ms.reviewer: manager: dansimp ---