This is my very first blog and I'd like to share with you how we can add or remove members from FSLogix local groups using a GPO.
There are often users, such as local administrators, that have profiles that should remain local. During installation, four user groups are created to manage users who's profiles are included and excluded from Profile Container and Office Container redirection.
FSLogix include or Exclude groups allow us to add or exclude members from FSLogix service so the users can get the default local profile instead using a FSLogix container.
By default Everyone is added to the FSLogix Profile Include List group.
Adding a user to the FSLogix Profile Exclude List group means that the FSLogix agent will not attach a FSLogix profile container for the user.
FSLogix Profile Exclude List group take priority over FSLogix Profile Include List group if there is a member on both Local Groups.
Adding or removing member of a Local Groups is extremely easy on a few machines but what happens if you have deployed hundred or thousands of machines? Here where Restricted Groups comes into play.
Restricted groups allow an administrator to define the following two properties for security-sensitive (restricted) groups:
Using the "Members" Restricted Group Portion of Policy When a Restricted Group policy is enforced, any current member of a restricted group that is not on the "Members" list is removed with the exception of administrator in the Administrators group. Any user on the "Members" list which is not currently a member of the restricted group is added.
Using the "Member Of" Restricted Group Portion of Policy Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted Group is not removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.
Open Group Policy Management Console
Create a new GPO or edit an existing one.
Go to Computer Configuration --> Policies --->Windows Settings-->Security Settings-->Restricted Groups
Right click over Restricted Group and select Add Group
Type the Group you you want to add or remove members. The name must match with the local one. I recommend you to just copy and paste the name to avoid mistakes.
Then add the members in Members of this group
Note: Adding members in Members of this Group option will be deleting other local members if they already exist. If you want to keep the existing members, just add the members under This group is member of option
You can validate it from client machine local group side.