deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/policy-csp-localusersandgroups.md
ManikaDhiman c2f95f3958 Minor update
2020-10-09 17:00:35 -07:00

5.4 KiB
Raw Blame History

title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.localizationpriority, ms.date, ms.reviewer, manager
title description ms.author ms.topic ms.prod ms.technology author ms.localizationpriority ms.date ms.reviewer manager
Policy CSP - LocalUsersAndGroups Policy CSP - LocalUsersAndGroups dansimp article w10 windows manikadhiman medium 10/08/2020 dansimp

Policy CSP - LocalUsersAndGroups

LocalUsersAndGroups policies

LocalUsersAndGroups/Configure

LocalUsersAndGroups/Configure

Windows Edition Supported?
Home cross mark
Pro check mark9
Business check mark9
Enterprise check mark9
Education check mark9

Scope:

[!div class = "checklist"]

  • Device

This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.

Note

The RestrictedGroups/ConfigureGroupMembership policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.

Here's an example of the policy definition XML for group configuration:

<?xml version = "1.0" encoding = "utf-8"?>
    <GroupConfiguration>
        <accessgroup desc = "Backup Operators">
            <group action = ""/> 
                <add member = ""/>
                <remove member = ""/>
                <property desc = "" value = ""/> 
        </accessgroup>
    </GroupConfiguration>

where:

  • <accessgroup>: Specifies the name or SID of the local group to configure.
  • <group action>: Specifies the action to take on the local group, which can be Update and Replace, represented by U and R:
    • Update. This action must be used to keep the current group membership intact and add or remove members of the specific group.
    • Replace. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as that of the RestrictedGroups/ConfigureGroupMembership policy setting.
  • <add member>: Specifies the SID or name of the member to configure.
  • <remove member>: Specifies the SID or name of the member to remove from the specified group.
  • <property desc>: (Optional and not supported currently). This element is reserved for the future use to update group properties, such as group name as part of an update action.

Important

  • <add member> and <remove member> can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using Graph API for Groups. The SID is present in the securityIdentifier attribute.
  • This policy setting does not support the MemberOf functionality. However, you can add a domain group as a member to a local group by specifying the group in <add member> of another group.
  • The R (Replace) action takes precedence over U (Update). Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins.
  • Remove member is not valid for the R (Replace) action and will be ignored if present.
  • The list in the XML is processed in the given order with the exception of R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order of presence.

Examples

Update action for adding and removing group members:

<?xml version = "1.0" encoding = "utf-8"?> 
<GroupConfiguration> 
    <accessgroup desc = "Backup Operators"> 
        <group action = "U" /> 
        <add member = "S-1-5-544"/> 
        <remove member = "Guest"/> 
    </accessgroup> 
</GroupConfiguration>

Replace action for replacing the group membership:

<?xml version = "1.0" encoding = "utf-8"?> 
<GroupConfiguration>
    <accessgroup desc = "Backup Operators">
        <group action = "R" />
        <add member = "S-1-5-544"/>
        <add member = "Guest"/>
    </accessgroup>
</GroupConfiguration>

Footnotes:

  • 1 - Available in Windows 10, version 1607.
  • 2 - Available in Windows 10, version 1703.
  • 3 - Available in Windows 10, version 1709.
  • 4 - Available in Windows 10, version 1803.
  • 5 - Available in Windows 10, version 1809.
  • 6 - Available in Windows 10, version 1903.
  • 7 - Available in Windows 10, version 1909.
  • 8 - Available in Windows 10, version 2004.
  • 9 - Available in Windows 10, version 2010.