From 8fef1868fd38cfebf37bc06875553e64f9eea5a1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 19 Mar 2020 10:20:30 -0700 Subject: [PATCH] Updated the example --- .../mdm/policy-csp-restrictedgroups.md | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index ceef7004b4..37921c714c 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -122,24 +122,26 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and -Here is an example: +Here's an example: ``` - - - - + + + - - + + + ``` +where: +- `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. +- `` contains the members to add to the group in ``. If a Name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (Note: This doesn't query Azure AD). For best results, use SID for ``. Groups can be renamed and account name lookups are limited to AD/local machine, so SID is the best and most deterministic way to configure. +The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `Group1` and `Group2` are group locals on the device being configured. -> [!Note] -> * You should include the local administrator while modifying the administrators group to prevent accidental loss of access -> * Include the entire UPN after AzureAD