Local Group preference items allow you to centrally create, delete, and rename local groups. Also, you can use these preference items to change local group memberships. Before you create a local group preference item, you should review the behavior of each type of action possible with the extension.

Creating a Local Group item

To create a new Local Group preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder.

  3. Right-click the Local Users and Groups node, point to New, and select Local Group.

  4. In the New Local Group Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter local group settings for Group Policy to configure or remove. (For more information, see "Local group settings" in this topic.)

  6. Click the Common tab, configure any options, and then type your comments in the Description box. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the details pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether a group with the same name exists.

Create

Create a new local group on the local computer. If the local group exists, then do not modify it.

Delete

Remove a local group with the matching name from the local computer. The extension performs no action if the group does not exist.

Replace

Delete and recreate a local group with the matching name for the local computer. The net result of the Replace action overwrites all existing settings associated with the local group. If the local group does not exist, then the Replace action creates a new local group.

Important

Windows assigns each group a security identifier (SID). Windows uses this information to determine if a group is allowed to access a particular resource. Use caution when using the Replace action as the newly created group has a new SID. This may prevent groups from having access to resources.

Update

Rename or modify settings, including group membership, of an existing group. This action differs from Replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the local group does not exist, then the Update action creates a new local group.

Important

The Update action does not change the SID of the group.

Local Group settings

Group Name

Type the name of the targeted local group. The preference extension creates a new group with this name if the group does not exist. If the group exists, the preference extension uses the group with this name as the target of the requested action.

Rename to:

Type in the new name of the local group. This option is only available when using the Update action. The preference extension renames the group with the name that matches in the Group Name box to the name provided in the Rename to box.

Description

Text used to describe the purpose or use of the local group. Press F3 to display a list of variables from which you can select.

Add the current user

Use this setting to include the currently logged on user as a member of the local group.

Note

This setting is available only when editing the preference item under User Configuration.

Remove the current user

Use this setting to delete the currently logged on user's membership in the local group.

Note

This setting is available only when editing the preference item under User Configuration.

Do not configure for the current user

Use this setting if you do not want the currently logged-on user added to or removed from the local group.

Note

This setting is available only when editing the preference item under User Configuration.

Delete all member users

Use this setting to remove all the user accounts that are members of the local group. The preference extension performs this work prior to processing the members list defined in the preference item.

Delete all member groups

Use this setting to remove all the group accounts that are members of the local group. The preference extension performs this work prior to processing the members list defined in the preference item.

Add

Click Add to enter a new member item to the members list.

  • Type the name of the user or group you want to include in the member item, or click Browse (…) to select a user or group.

  • Choose from the Action list the desired action for the member item:

    • Add to this group: Adds the named member to the local group.

    • Remove from this group: Removes the named member from the local group.

Remove

Click Remove to delete the currently selected member item from the member list.

Change

Click Change to modify the currently selected member item.

  • Type the name of the user or group you want to include in the member item, or click Browse (…) to select a user or group.

  • Choose from the Action list the desired action for the member item:

    • Add to this group: Adds the named member to the local group.

    • Remove from this group: Removes the named member from the local group.

Additional considerations

  • Group memberships for the current user take effect during the next user logon.

  • The Local Group item action Replace deletes the existing local group and creates a new local group, which includes a new security identifier.

  • The Local Group item action Update modifies the settings of a local group, but does not change the security identifier of the local group.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Additional references

  • Local Users and Groups Extension
  • Configure a Local User Item