Local Group Management with Preferences

Create: Will create the user\group if it does not exist. If the user\group does exist it will not be modified.

Replace: This will delete the user\group and recreates it. In the process of doing this the user\group will obtain a new Sid.

Update: Will update the user\group as required. If the user\group does not exist it will be created.

Delete: Will remove the user\group.

Combing the two
If you use restricted groups and Group Policy Preferences together, restricted groups will override Group Policy Preferences.

Demonstration
The settings for modifying local users and groups are found in the following location.

Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups

To create the settings for a user or group, click the blank area on the right and select new user and local group.

In the dialog to follow, you need to enter in the user and group that you want to target. There is also an option to rename the user or group if you require.

There are additional options on the common tab. One useful option when changing group membership is, “apply once and do not reapply”. This will ensure that this setting is only ever applied once. When fixing problems with local groups, this is a useful option to use as it will allow another administrator to make changes later to the local groups without those changes being reversed back on the next group policy refresh.

There is also an option for item-level targeting. This will allow you to target the settings to certain computers or users like which groups they are in, how much memory is install in the computer only to mention a few of the options that are available.

References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition” pg. 323 – 324

Credits