A large compliance area for us is to make sure certain groups are or are not in the local Administrators group on servers. I am really hoping to stick to a compliance rule to check if a certain user or group is within the local admins group.

Can you explain the Local Group data class area?

Thanks so much

The Groups Members data class is not enforceable, so the only thing you can do currently is check membership with a compliance rule.

To check presence or absence of a member in a group, use the Groups Members data class, and create a conditional rule with the group Name and the Member name in the top part of the rule (ANDed together), and Must Exist or Must Not Exist for the existence check, as appropriate. Leave the bottom part blank.

Thanks for the reply, but wouldnt that just check to see if both the group and the member are present or not, and not if the certain member was in the group?

Nope. This is the way it works. If it were a Basic rule, then you would be correct, but then you couldn't specify Must Exist or Must Not Exist.

This was a huge help to me, Thanks.  Really wish the compliance rules allowed you to mix Data Types.  Being able to disable any local account that didn't follow a correct format would be huge.

So I created the rule like so.. Again I am needing for the 'Server Ops' security group to be located in the local administrators group. I've tried the rule and it continues to fail. I also tried 'Member' = 'Built-in/Administrators' and it still seems to fail. Am I missing something?

So what finally worked was NAME = 'Administrators' and MEMBER = 'DOMAIN\Server ops'. Works perfectly!

Thanks so much for your help!