Last Update: Sep 04, 2024 | Published: Mar 26, 2015
Following the first two entries in my managing Active Directory Local Groups article series, we’re ready for our next installment. In this article, I’ll talk about another feature of Group Policy called “Local Users and Groups” that is part of the relatively new section of GPO called Group Policy Preferences (GPP). Local group GPP settings allows you to centrally create, delete, and rename local groups. You can also use these settings items to change local group memberships.
Managing Local Active Directory Groups Article Series
The nice thing about this feature in comparison to the old Restricted Groups feature in GPO is that it lets you add users and groups as members, while ensuring the current group membership is not modified. In turn, this gives you higher flexibility in group membership management.
Although this feature is relatively new, it wasn’t included in the original release of Group Policy as part of Windows Server 2000, but was later added in Windows Vista and was back ported to Windows XP after installing a special client-side add-on (Download Group Policy Preference Client Side Extensions for Windows XP). However, starting from Windows Vista and Windows Server 2008 R2, it just works out of the box.
Like in the previous Restricted Groups feature of GPO, you need to create or edit a GPO that’s linked to the OU, which contains the computer objects that you want to be affected by the GPO.
Note: In GPP, you can use item-level targeting to change the scope of preference items, but that’s a topic for a different article.
1. In that GPO, browse and expand “Computer Configuration” > “Preferences” > “Control Panel Settings”. Click on “Local Users and Groups”.
2. Right-click on “Local Users and Groups” and select “New Local Group”.
3. In the New Local Group Properties dialog box, select an Action for Group Policy to perform. You can select one of four different options:
It should be noted that these four actions are also known as create, read, update, delete (CRUD) actions.
4. In this case, we will select “Update”.
5. Enter local group settings for Group Policy to configure. You can either use the built-in groups or enter your own group name.
You can perform various actions on the group, such as renaming it, giving it a description, adding or removing current users to the group, deleting all member users or groups from the group, and so on.
Tip: Press F3, you’ll like it.
In addition, you can perform various actions in the “Common” tab.
In this example, we will use the “Test Local Group” group on a member server.
6. Click on Add to configure specific users or groups. You can choose if you want to add them or delete them, and you can do this for multiple users or groups at the same time.
7. Now, the desired group is in the right pane. Because we chose “Update”, we get a yellow icon.
8. Before the GPO change, our “Test Local Group” only had 1 user, “testuser2”.
9. After the GPO refresh cycle, you will see that the new member was added to the group, and so was the AD-based group.
Note: Remember that group memberships for the current user take effect during the next user logon.