策略 CSP-LocalUsersAndGroupsPolicy CSP - LocalUsersAndGroups

警告

有些信息与预发布产品相关,这些产品在商业发行之前可能发生重大更改。Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft 不对此处提供的信息作任何明示或默示的担保。Microsoft makes no warranties, expressed or implied, concerning the information provided here.


LocalUsersAndGroups 策略LocalUsersAndGroups policies

LocalUsersAndGroups/ConfigureLocalUsersAndGroups/Configure

LocalUsersAndGroups/ConfigureLocalUsersAndGroups/Configure

Windows 版本Windows Edition 是否受支持?Supported?
主页Home cross mark
专业版Pro check markdb-99
商用版Business check markdb-99
企业Enterprise check markdb-99
教育版Education check markdb-99

范围Scope:

  • 设备Device

在 Windows 10 版本20H2 中提供。Available in Windows 10, version 20H2. 此策略设置允许 IT 管理员在托管设备上添加、删除或替换本地组的成员。This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.

备注

RestrictedGroups/ConfigureGroupMembership策略设置还允许你将 (用户或 AAD 组) 的成员配置为 Windows 10 本地组。The RestrictedGroups/ConfigureGroupMembership policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. 但是,它仅允许将现有组与新成员完全替换为现有组,并且不允许选择 "添加" 或 "删除"。However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.

从 Windows 10 版本20H2 开始,建议使用 LocalUsersandGroups 策略,而不是 RestrictedGroups 策略。Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. 不支持将这两个策略应用到同一设备,并且可能会产生不可预测的结果。Applying both the policies to the same device is unsupported and may yield unpredictable results.

下面是组配置的策略定义 XML 的示例:Here's an example of the policy definition XML for group configuration:

<GroupConfiguration>
    <accessgroup desc = "">
        <group action = ""/> 
            <add member = ""/>
            <remove member = ""/>
    </accessgroup>
</GroupConfiguration>

其中:where:

  • <accessgroup desc>:指定要配置的本地组的名称或 SID。: Specifies the name or SID of the local group to configure. 如果你指定一个 SID, LookupAccountSid API 将用于将 sid 转换为有效的组名称。If you specify a SID, the LookupAccountSid API is used to translate the SID to a valid group name. 如果指定名称,则使用 LookupAccountName API 查找组并验证名称。If you specify a name, the LookupAccountName API is used to lookup the group and validate the name. 如果名称/SID 查找失败,将跳过组,并处理 XML 文件中的下一个组。If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. 如果存在多个错误,则在策略处理结束时返回最后一个错误。If there are multiple errors, the last error is returned at the end of the policy processing.

  • <group action>:指定要在本地组(由你和 R 表示)上执行的操作:: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R:

    • 更新。Update. 必须使用此操作来保持当前组成员的完整性,并添加或删除特定组的成员。This action must be used to keep the current group membership intact and add or remove members of the specific group.
    • 限制.Restrict. 必须使用此操作将当前成员身份替换为新指定的组。This action must be used to replace current membership with the newly specified groups. 此操作提供与 RestrictedGroups/ConfigureGroupMembership 策略设置相同的功能。This action provides the same functionality as the RestrictedGroups/ConfigureGroupMembership policy setting.
  • <add member>:指定要配置的成员的 SID 或名称。: Specifies the SID or name of the member to configure.

  • <remove member>:指定要从指定组中删除的成员的 SID 或名称。: Specifies the SID or name of the member to remove from the specified group.

    备注

    指定域帐户的成员名称时,请尽可能使用完全限定帐户名称 (例如,domain_name \ user_name) 而不是隔离的名称 (例如 group_name) 。When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). 这样,当具有相同名称的用户或组在多个域和本地存在时,您可以避免收到不明确的结果。This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. 有关详细信息,请参阅 LookupAccountNameA 函数See LookupAccountNameA function for more information.

有关如何创建自定义配置文件的信息,请参阅 在 Intune 中使用适用于 Windows 10 设备的自定义设置See Use custom settings for Windows 10 devices in Intune for information on how to create custom profiles.

重要

  • <add member> 并且 <remove member> 可以使用 AZURE AD SID 或用户的名称。and <remove member> can use an Azure AD SID or the user's name. 若要使用此策略添加或删除 Azure AD 组,必须使用组的 SID。For adding or removing Azure AD groups using this policy, you must use the group's SID. 可以使用 图形 API 为组获取 Azure AD 组 sid。Azure AD group SIDs can be obtained using Graph API for Groups. SID 存在于 securityIdentifier 属性中。The SID is present in the securityIdentifier attribute.
  • 当在或中指定 SID <add member><remove member> ,将添加成员 sid,而不尝试解决它们。When specifying a SID in the <add member> or <remove member>, member SIDs are added without attempting to resolve them. 因此,在指定 SID 以确保其正确时,请非常小心。Therefore, be very careful when specifying a SID to ensure it is correct.
  • <remove member> 对 R (限制) 操作无效,如果存在,将被忽略。is not valid for the R (Restrict) action and will be ignored if present.
  • XML 中的列表按给定顺序处理,除了 R 操作,这些操作最后进行处理以确保它们获胜。The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. 这还意味着,如果一个组使用不同的 "添加/删除" 值多次显示,则所有这些组都将按照它们存在的顺序进行处理。It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.

示例Examples

示例1:更新添加和删除组成员的操作。Example 1: Update action for adding and removing group members.

以下示例显示了如何更新本地组 (备份操作员) —使用其名称 (Contoso\ITAdmins) 添加域组,使用其 已知 sid添加内置管理员组,使用它的 sid (S-1-12-1-111111111-22222222222-3333333333-4444444444) 添加 AAD 组,并删除 (来宾) 的本地帐户。The following example shows how you can update a local group (Backup Operators)—add a domain group as a member using its name (Contoso\ITAdmins), add the built-in Administrators group using its well known SID, add a AAD group by its SID (S-1-12-1-111111111-22222222222-3333333333-4444444444), and remove a local account (Guest).

<GroupConfiguration> 
    <accessgroup desc = "Backup Operators"> 
        <group action = "U" /> 
        <add member = "Contoso\ITAdmins"/>
        <add member = "S-1-5-32-544"/>
        <add member = "S-1-12-1-111111111-22222222222-3333333333-4444444444"/>
        <remove member = "Guest"/> 
    </accessgroup> 
</GroupConfiguration>

示例2:限制用于替换组成员身份的操作。Example 2: Restrict action for replacing the group membership.

以下示例显示了如何限制本地组 (备份操作员) —使用其 已知 SID 将其成员身份替换为内置管理员组,并将本地帐户添加 (来宾) 。The following example shows how you can restrict a local group (Backup Operators)—replace its membership with the built-in Administrators group using its well known SID and add a local account (Guest).

<GroupConfiguration>
    <accessgroup desc = "Backup Operators">
        <group action = "R" />
        <add member = "S-1-5-32-544"/>
        <add member = "Guest"/>
    </accessgroup>
</GroupConfiguration>

常见问题解答FAQs

本部分提供有关 LocalUsersAndGroups 策略 CSP 的一些常见问题的解答。This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP.

如果我不小心从管理员组中删除内置管理员 SID,会发生什么情况?What happens if I accidentally remove the built-in Administrator SID from the Administrators group?

出于安全原因,从内置管理员组删除内置管理员帐户被阻止的 SAM/OS 级别。Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. 尝试执行此操作将导致失败,并出现以下错误:Attempting to do so will result in failure with the following error:

错误代码Error Code 符号名称Symbolic Name 错误描述Error Description 标题Header
0x55b (十六进制) 0x55b (Hex)
1371 (Dec) 1371 (Dec)
ERROR_SPECIAL_ACCOUNTERROR_SPECIAL_ACCOUNT 无法在内置帐户上执行此操作。Cannot perform this operation on built-in accounts. winerror。hwinerror.h

将内置管理员组配置为 R (限制) 操作时,请在中指定内置管理员帐户 SID/名称 <add member> 以避免此错误。When configuring the built-in Administrators group with the R (Restrict) action, specify the built-in Administrator account SID/Name in <add member> to avoid this error.

是否可以添加已存在的成员?Can I add a member that already exists?

是的,您可以添加已成为组成员的成员。Yes, you can add a member that is already a member of a group. 这将不会对组进行任何更改,也不会产生错误。This will result in no changes to the group and no error.

是否可以删除不是组成员的成员?Can I remove a member if it isn't a member of the group?

是的,即使成员不是组的成员,您也可以删除该成员。Yes, you can remove a member even if it isn't a member of the group. 这将不会对组进行任何更改,也不会产生错误。This will result in no changes to the group and no error.

如何将域组作为成员添加到本地组?How can I add a domain group as a member to a local group?

若要将域组作为成员添加到本地组,请在本地组中指定域组 <add member>To add a domain group as a member to a local group, specify the domain group in <add member> of the local group. 使用完全限定的帐户名称 (例如,domain_name \ group_name) 而不是隔离的名称 (例如 group_name) 最佳结果。Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. 有关详细信息,请参阅 LookupAccountNameA 函数See LookupAccountNameA function for more information.

是否可以将多个 LocalUserAndGroups 策略/XML 应用到同一设备?Can I apply more than one LocalUserAndGroups policy/XML to the same device?

否,这是不允许的。No, this is not allowed. 尝试执行此操作将导致 Intune 中出现冲突。Attempting to do so will result in a conflict in Intune.

如果指定了不存在的组名称,会发生什么情况?What happens if I specify a group name that doesn't exist?

将跳过无效的组名称或 Sid。Invalid group names or SIDs will be skipped. 将应用该策略的有效部分,并将在处理结束时返回错误。Valid parts of the policy will apply, and error will be returned at the end of the processing. 此行为与本地广告 GPP (组策略首选项() LocalUsersAndGroups 策略)对齐。This behavior aligns with the on-prem AD GPP (Group Policy Preferences) LocalUsersAndGroups policy. 同样,将跳过无效的成员名称,结束时将返回错误,以通知并非所有设置都已成功应用。Similarly, invalid member names will be skipped, and error will be returned at the end to notify that not all settings were applied successfully.

如果在同一 XML 中指定 R 和 U,会发生什么情况?What happens if I specify R and U in the same XML?

如果在同一 XML 中同时指定 R 和 U,则 R (限制) 操作优先于 U (Update) 。If you specify both R and U in the same XML, the R (Restrict) action takes precedence over U (Update). 因此,如果一个组在 XML 中出现两次,则一次与 R 一起使用时,R 操作将获胜。Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins.

如何检查客户端设备上应用的策略的结果?How do I check the result of a policy that is applied on the client device?

在客户端设备上应用策略后,可以调查事件日志以查看结果:After a policy is applied on the client device, you can investigate the event log to review the result:

  1. 打开事件查看器 (eventvwr.exe) 。Open Event Viewer (eventvwr.exe).
  2. 导航到应用程序和服务日志 > Microsoft > Windows > DeviceManagement-诊断服务提供商 > 管理员Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise- Diagnostics-Provider > Admin.
  3. 搜索 LocalUsersAndGroups 字符串以查看相关详细信息。Search for the LocalUsersAndGroups string to review the relevant details.

如何解决名称/SID 查找 Api 问题?How can I troubleshoot Name/SID lookup APIs?

有关名称/SID 查找 Api 的疑难解答:To troubleshoot Name/SID lookup APIs:

  1. 启用 lsp。 通过运行以下命令来登录客户端设备:Enable lsp.log on the client device by running the following commands:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force
    
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force
    

    将显示 (C:\windows\debug\lsp.log) 的lsp文件。The lsp.log file (C:\windows\debug\lsp.log) will be displayed. 此日志文件跟踪 SID-Name 分辨率。This log file tracks the SID-Name resolution.

  2. 通过运行以下命令来关闭日志记录:Turn the logging off by running the following command:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force
    

页脚:Footnotes:

  • 9-在 Windows 10 版本20H2 中可用。9 - Available in Windows 10, version 20H2.