Intune - Manage Local Users and Groups – CSP/MSP 24 x 7 Support

The RestrictedGroups/ConfigureGroupMembership policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.

Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.

./Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership

XML Template:

Sample:

where:

<accessgroup desc>: Specifies the name or SID of the local group to configure. If you specify a SID, the LookupAccountSid API is used to translate the SID to a valid group name. If you specify a name, the LookupAccountName API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing.
<group action>: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R:
- Update. This action must be used to keep the current group membership intact and add or remove members of the specific group.
- Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the RestrictedGroups/ConfigureGroupMembership policy setting.
<add member>: Specifies the SID or name of the member to configure.
<remove member>: Specifies the SID or name of the member to remove from the specified group.

Microsoft Documentation: Policy CSP - LocalUsersAndGroups - Windows Client Management | Microsoft Docs