Limiting users that can log into a Win10 PC using Restricted Groups CSP

The title says it for itself. It is a useful capability for shared workstations and other scenarios, where the PC access needs to be limited. The credit goes to this blog post on, you can read it for full details and pictures I just want to make a few points that I’ve taken out of that post and add some of mine.

  1. In their scenario, the machine is Azure-only joined (way to go – hybrid join is a mess!). Turns out AAD doesn’t have a native way of achieving this – you must use MDM to manage the local Users security group on the machine.
  2. You use a Restriced Groups CSP to do it. Simply put, this allows you to explicitly define the group membership via the XML payload – you push down a list, and the group membership is adjusted accordingly. So you pull out the “Authenticated Users” group (= any AAD user) from the local Users group, and insert an explicit list of names.
 <accessgroup desc = "Users">
  <member name = "AzureAD\" />
  <member name = "AzureAD\" />
  <member name = "NT Authority\INTERACTIVE" />
  1. Note that for AAD users including “AzureAD\” is a must.
  2. In their post, the author uses InTune. Since this is a standard XML-based CSP, you can use any MDM capable of deploying the custom XML. Here’s VMware Policy Builder doing it. In any case, you have to build XML payload yourself, but as you see it is very straightforward.
Win10 Restricted Groups CSP via VMware Policy Builder

That’s pretty much it. Simple? Useful? Let me know!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at

Up ↑

%d bloggers like this: