deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Updated the example

Browse Source
This commit is contained in:
ManikaDhiman 2020-03-19 10:20:30 -07:00
parent af6c266c7e
commit 8fef1868fd
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -122,24 +122,26 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and
<!--/SupportedValues-->
<!--Example-->
Here is an example:
Here's an example:
```
<groupmembership>
<accessgroup desc = "Administrators">
<member name = "AzureAD\CSPTest@contoso.com" />
<member name = "AzureAD\patlewis@contoso.com" />
<member name = "S-1-15-1233433-23423432423-234234324"/>
<accessgroup desc = "Group1">
<member name = "S-1-15-6666767-76767676767-666666777"/>
<member name = "contoso\Alice"/>
</accessgroup>
<accessgroup desc = "testcsplocal">
<member name = "AzureAD\CSPTest@contoso.com" />
<accessgroup desc = "Group2">
<member name = "S-1-15-1233433-23423432423-234234324"/>
<member name = "Group1"/>
</accessgroup>
</groupmembership>
```
where:
- `<accessgroup desc>` contains the local group SID or group name to configure. If an SID is specified here, the policy uses [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a Name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (Note: This doesn't query Azure AD). For best results, use SID for `<member name>`. Groups can be renamed and account name lookups are limited to AD/local machine, so SID is the best and most deterministic way to configure.
The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- `Group1` and `Group2` are group locals on the device being configured.
> [!Note]
> * You should include the local administrator while modifying the administrators group to prevent accidental loss of access
> * Include the entire UPN after AzureAD
<!--/Example-->
<!--Validation-->