Management of local groups on your clients can be achieved using Group Policy as well as Group Policy Preferences. This video looks at how Group Policy Preferences can be used to manage local groups on your clients and how to combine them with Group Policy Restricted Groups.
User/Group ManagementUsing preferences you can perform a number of actions on a local group.
Create: Will create the user\group if it does not exist. If the user\group does exist it will not be modified.
Replace: This will delete the user\group and recreates it. In the process of doing this the user\group will obtain a new Sid.
Update: Will update the user\group as required. If the user\group does not exist it will be created.
Delete: Will remove the user\group.
Combing the two
If you use restricted groups and Group Policy Preferences together, restricted groups will override Group Policy Preferences.
Demonstration
The settings for modifying local users and groups are found in the following location.
Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
To create the settings for a user or group, click the blank area on the right and select new user and local group.
In the dialog to follow, you need to enter in the user and group that you want to target. There is also an option to rename the user or group if you require.
There are additional options on the common tab. One useful option when changing group membership is, “apply once and do not reapply”. This will ensure that this setting is only ever applied once. When fixing problems with local groups, this is a useful option to use as it will allow another administrator to make changes later to the local groups without those changes being reversed back on the next group policy refresh.
There is also an option for item-level targeting. This will allow you to target the settings to certain computers or users like which groups they are in, how much memory is install in the computer only to mention a few of the options that are available.
References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition” pg. 323 – 324
Credits