Adding or removing members on FSLogix local groups using Restricted Groups
Published Apr 23 2021 09:43 AM 25.9K Views

Hello Folks! @Guido here.


This is my very first blog and I'd like to share with you how we can add or remove members from FSLogix local groups using a GPO.


To recap


There are often users, such as local administrators, that have profiles that should remain local. During installation, four user groups are created to manage users who's profiles are included and excluded from Profile Container and Office Container redirection.


FSLogix include or Exclude groups allow us to add or exclude members from FSLogix service so the users can get the default local profile instead using a FSLogix container.







  • By default Everyone is added to the FSLogix Profile Include List group.
  • Adding a user to the FSLogix Profile Exclude List group means that the FSLogix agent will not attach a FSLogix profile container for the user.
  • FSLogix Profile Exclude List group take priority over FSLogix Profile Include List group if there is a member on both Local Groups.


Adding or removing member of a Local Groups is extremely easy on a few machines but what happens if you have deployed hundred or thousands of machines? Here where Restricted Groups comes into play.

Restricted Groups

Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups:


Using the "Members" Restricted Group Portion of Policy
When a Restricted Group policy is enforced, any current member of a restricted group that is not on the "Members" list is removed with the exception of administrator in the Administrators group. Any user on the "Members" list which is not currently a member of the restricted group is added.

Using the "Member Of" Restricted Group Portion of Policy
Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted Group is not removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.


Let's start


  1. Open Group Policy Management Console
  2. Create a new GPO or edit an existing one.
  3. Go to Computer Configuration --> Policies --->Windows Settings-->Security Settings-->Restricted Groups
  4. Right click over Restricted Group and select Add Group
  5. Type the Group you you want to add or remove members. The name must match with the local one. I recommend you to just copy and paste the name to avoid mistakes.




Then add the members in Members of this group




Note: Adding members in Members of this Group option will be deleting other local members if they already exist. If you want to keep the existing members, just add the members under This group is member of option


You can validate it from client machine local group side.





Hope you find this useful and informative.


Keep in touch.


Version history
Last update:
‎Jul 15 2022 03:06 AM
Updated by: