5 Replies Latest reply on Dec 6, 2019 3:56 AM by DEMdev

    Restricted Groups

    sjesse Master
    vExpert

      Hi

       

      Has anyone tried setting local computer groups with UEM in anyway? I have an app that requires users to be in two local computer groups, and right now its the one of the only realy reasons I need to use a GPO(I HATE GPOs ).

        • 1. Re: Restricted Groups
          DEMdev Master
          VMware Employees

          Hi sjesse,

           

          You can use argument-based privilege elevation to add or remove a user from a local group:

          However, those membership changes will only be picked up at the user's next logon...

          • 2. Re: Restricted Groups
            ijdemes Expert
            vExpert

            Hmm, for people that hate GPO's it would be very nice if one would be able to apply such "computer settings" using DEM.

            • 3. Re: Restricted Groups
              Mickeybyte Enthusiast

              The product used to be "User" environment manager, but was recently renamed to "Dynamic" environment manager. Maybe some changes are in the pipeline to broaden the possibilities to more than just "user" settings?

               

              Just a guess though...

               

              Michiel.

              • 4. Re: Restricted Groups
                sjesse Master
                vExpert

                Unfortunalty I need them on the first logon, but maybe I'll play around a bit if or think of a way I can make them logon and off again. I'm also thinking of testing something like puppet or ansible again for this.

                • 5. Re: Restricted Groups
                  DEMdev Master
                  VMware Employees

                  Hi sjesse,

                  Unfortunalty I need them on the first logon,

                  Yeah, that's what I expected

                  but maybe I'll play around a bit if or think of a way I can make them logon and off again.

                  Sure

                  Where C:\Flex\sjesse.cmd contains the following:

                   

                  C:\Windows\System32\net.exe localgroup "Demo Group" "%username%" /ADD

                  "C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe" -m "NOTE:" "You'll be logged off"

                  C:\Windows\System32\logoff.exe

                   

                  User logs on:

                  2019-12-06 12:46:42.069 [INFO ] Performing path-based import

                  ...

                  2019-12-06 12:46:42.099 [INFO ] Collected argument-based privilege elevation settings to apply for elevated applications ('Local Group Test.xml')

                  ...

                  2019-12-06 12:46:42.122 [DEBUG] Conditions: Check for user membership of group 'Demo Group' = false

                  2019-12-06 12:46:42.175 [INFO ] Successfully created shortcut in programs menu ('sjesse.xml')

                   

                  User is automatically logged off (after clicking away the message box):

                  2019-12-06 12:51:39.059 [INFO ] Performing path-based export

                  ...

                  2019-12-06 12:51:39.132 [DEBUG] Successfully removed shortcut 'C:\Users\testuser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sjesse.lnk' ('sjesse.xml')

                  ...

                  2019-12-06 12:51:39.139 [INFO ] Privilege elevation statistics:

                  2019-12-06 12:51:39.139 [INFO ]    Elevated C:\Windows\System32\net.exe 1 time (argument-based).

                   

                  User logs on again:

                  2019-12-06 12:51:48.507 [INFO ] Performing path-based import

                  ...

                  2019-12-06 12:51:48.571 [DEBUG] Conditions: Check for user membership of group 'Demo Group' = true

                  2019-12-06 12:51:48.571 [INFO ] Skipping shortcut due to conditions ('sjesse.xml')