deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Added new policy

Browse Source
This commit is contained in:
ManikaDhiman 2020-10-09 16:25:41 -07:00
parent c39fe795a5
commit 9c0263424b
2 changed files with 40 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/client-management/mdm/TOC.md
View File

@ -267,6 +267,7 @@
#### [LanmanWorkstation](policy-csp-lanmanworkstation.md)
#### [Licensing](policy-csp-licensing.md)
#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
#### [LocalUsersAndGroups](policy-csp-localusersandgroups.md)
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)
#### [Messaging](policy-csp-messaging.md)

131
windows/client-management/mdm/policy-csp-localusersandgroups.md
View File

@ -44,19 +44,19 @@ manager: dansimp
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>9</sup></td>
</tr>
</table>
@ -73,86 +73,48 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
The RestrictedGroups/ConfigureGroupMembership policy setting allows administrators to configure members (users or AAD groups) to a Windows 10 local group. However, RG policy has a limitation that it only allows for a full replace of the existing groups with the new members and does not allow selective add/remove. This limitation causes scalability issues for Intune to implement the policy in its current format. In addition, it restricts customers from enabling scenarios and attain parity with on-premises group management. As a result, this policy limitation delays the GA of the local admin rights scenario for AAD Joined devices.
This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.
On-premises AD offers more flexibility in managing local groups using the Local Users and Groups (LUG) GPP. RG GPO is not meant to provide granularity in selectively removing existing members or adding new ones. Enabling capabilities in LUG GPP into RG MDM policy would create confusion for customers whore accustomed to the on-premises polices and preferences, and how theyre used. So, its beneficial in the long-term to build a new MDM policy that provides customers granularity for managing local users and groups from the cloud, instead of overriding the RG policy. In addition, this new policy allows for further improvements without altering the meaning of the RG policy.
This policy setting allows administrators to manage local groups on a device.
> [!NOTE]
> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
Here's an example of the policy definition XML for group configuration:
```xml
<![CDATA[<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
<xs:simpleType name="name">
<xs:restriction base="xs:string">
<xs:maxLength value="255" />
</xs:restriction>
</xs:simpleType>
<xs:element name="accessgroup">
<xs:complexType>
<xs:sequence>
<xs:element name="group" minOccurs="1" maxOccurs="1">
<xs:annotation>
<xs:documentation>Group Configuration Action</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="action" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="add" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Add</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="remove" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group Member to Remove</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="member" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="property" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Group property to configure</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="desc" type="name" use="required"/>
<xs:attribute name="value" type="name" use="required"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="desc" type="name" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="GroupConfiguration">
<xs:complexType>
<xs:sequence>
<xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Local Group Configuration</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema]]>
<?xml version = "1.0" encoding = "utf-8"?>
<GroupConfiguration>
<accessgroup desc = "Backup Operators">
<group action = ""/>
<add member = ""/>
<remove member = ""/>
<property desc = "" value = ""/>
</accessgroup>
</GroupConfiguration>
```
where:
- `<accessgroup>`: Specifies the name or SID of the local group to configure.
- `<group action>`: Specifies the action to take on the local group, which can be Update and Replace, represented by U and R:
- Update. This action must be used to keep the current group membership intact and add or remove members of the specific group.
- Replace. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as that of the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting.
- `<add member>`: Specifies the SID or name of the member to configure.
- `<remove member>`: Specifies the SID or name of the member to remove from the specified group.
- `<property desc>`: (Optional and not supported currently). This element is reserved for the future use to update group properties, such as group name as part of an update action.
> [!IMPORTANT]
> - `<add member>` and `<remove member>` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using Graph API for Groups. The SID is present in the `securityIdentifier` attribute.
> - This policy setting does not support the MemberOf functionality. However, you can add a domain group as a member to a local group by specifying the group in `<add member>` of another group.
> - The R (Replace) action takes precedence over U (Update). Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins.
> - Remove member is not valid for the R (Replace) action and will be ignored if present.
> - The list in the XML is processed in the given order with the exception of R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order of presence.
<!--/Description-->
<!--SupportedValues-->
This policy setting has two top level actions:
- Update represented by U
- Replace represented R
We can have 2 verbs - Add Member, Remove Member for specific local group - to modify local group setting
Add member and Remove member can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using Graph API for Groups. The SID is present in the attribute "securityIdentifier".
<!--/SupportedValues-->
<!--Example-->
Example to add and remove group members
**Example: Add and remove group members**
```xml
<?xml version = "1.0" encoding = "utf-8"?>
@ -163,8 +125,9 @@ Example to add and remove group members
<remove member = "Guest"/>
</accessgroup>
</GroupConfiguration>
```
Example to replace group membership
**Example: Replace group membership**
```xml
<?xml version = "1.0" encoding = "utf-8"?>
@ -176,23 +139,6 @@ Example to replace group membership
</accessgroup>
</GroupConfiguration>
```
Action Consequences
U: Update Group: Add/Remove specified members.
o Add Member = contains name or SID
o Remove Member = contains name or SID (remove wins if a sid is specified in both due to order of processing
o MemberOf / group nesting can be achieved by specifying the group in Add Member of another group
§ R : Replace group membership provides the same functionality as Restricted Groups.
§ Replace operation takes precedence over Update. Thus, if a group appears twice in the XML, once with U and once with R , Replace wins. This is behaviour in parity with on prem.
§ Remove member is not valid for R Replace operation and will be ignored if present.
§ The list given in the XML is processed in the order given with the exception of R actions which get processed last to ensure they win. That also means that if a group is present multiple times with different add/remove values, all of them will processed in the order of presence.
<!--/Example-->
<!--Validation-->
@ -210,5 +156,6 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
- 10 - Available in Windows 10, version 2010.
<!--/Policies-->