Configure a Local Group Item

Applies To: Windows Server 2008

Local Group preference items allow you to centrally create, delete, and rename local groups. Also, you can use these preference items to change local group memberships. Before you create a local group preference item, you should review the behavior of each type of action possible with the extension.

Creating a Local Group item

To create a new Local Group preference item

1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder.

3. Right-click the Local Users and Groups node, point to New, and select Local Group.

4. In the New Local Group Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

5. Enter local group settings for Group Policy to configure or remove. (For more information, see "Local group settings" in this topic.)

6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether a group with the same name exists.

Important

Create

Update

Rename or modify settings, including group membership, of an existing group. This action differs from Replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the local group does not exist, then the Update action creates a new local group.

Important

The Update action does not change the SID of the group.

Local Group settings

Note

Group Name

Remove the current user

Use this setting to delete the currently logged on user's membership in the local group.

Note

This setting is available only when editing the preference item under User Configuration.

Do not configure for the current user

Use this setting if you do not want the currently logged-on user added to or removed from the local group.

Note

This setting is available only when editing the preference item under User Configuration.

Delete all member users

Use this setting to remove all the user accounts that are members of the local group. The preference extension performs this work prior to processing the members list defined in the preference item.

Delete all member groups

Use this setting to remove all the group accounts that are members of the local group. The preference extension performs this work prior to processing the members list defined in the preference item.

Add

Click Add to enter a new member item to the members list.

• Type the name of the user or group you want to include in the member item, or click Browse (…) to select a user or group.
  
  
• Choose from the Action list the desired action for the member item:
  
  
  • Add to this group: Adds the named member to the local group.
    
    
  • Remove from this group: Removes the named member from the local group.
    
    

Remove

Click Remove to delete the currently selected member item from the member list.

Change

Click Change to modify the currently selected member item.

• Type the name of the user or group you want to include in the member item, or click Browse (…) to select a user or group.
  
  
• Choose from the Action list the desired action for the member item:
  
  
  • Add to this group: Adds the named member to the local group.
    
    
  • Remove from this group: Removes the named member from the local group.
    
    

Additional considerations

• Group memberships for the current user take effect during the next user logon.

• The Local Group item action Replace deletes the existing local group and creates a new local group, which includes a new security identifier.

• The Local Group item action Update modifies the settings of a local group, but does not change the security identifier of the local group.

• You can use item-level targeting to change the scope of preference items.

• Preference items are available only in domain-based GPOs.

Additional references

• Local Users and Groups Extension

• For additional information on configuring settings in Windows, see the Windows Server 2008 TechCenter (https://go.microsoft.com/fwlink/?LinkId=91710).