Group Management

Every Computer Group is divided into Groups and Users. Both Groups and Users in this context refer to local accounts and any Azure AD synchronized resources as part of a particular Computer Group.

local

The Computer Group page lists all local groups on this set of computers, and provides a high-level overview of the selected computer group based on Local Users, Local Groups, and the number of computers in the group.

When an agent registers, Local Security will automatically discover the local groups that exist on each machine.

The Group Management and User Management pages have been configured to load faster by showing the list of managed and built-in users and groups only. Inventoried users and groups will no longer appear by default unless there are less than 200 workstations in that computer group. You can still manage any group or user on those workstations by clicking Create User or Create Group available in the top right of their respective tables.

Create New Local Group

To create a new Group,

  1. Under your Computer Group, select Group Management.

  2. Click Create Group.

  3. Enter a name for your new group.

  4. Click Create. The Group Details page is displayed. The Manage Group switch is by default set to Yes.

  5. Click Add Member.

  6. From the Type drop-down, select either

    • Domain User
    • Domain Group
    • Local Users
    • Local Users (Manual Entry)
    • Local Users (Regex)

  7. On the Add Member dialog, select from the available resource items.
    for Domain User or Domain Group. For Local Users, select the user from the list as shown in the example image below. Local Users (Manual Entry) allows you to enter specific local user names.
    Local Users (Regex) allows you to enter specific local user names with Regex expressions.

    You must use specific and restrictive regex. We cannot guarantee that your expression will never include an unintended user. Please validate the expression yourself with one of the many online regex testers, and check group members regularly.

    member

  8. Click Add Member.

  9. The User Group Details page is displayed. Review all settings prior to clicking Save Changes.
    Refer to Manage Local Groups.

Manage Local Groups

Managing a local group means that you determine which user accounts are in the group. In other words, if a group is being managed, the group membership will remain static and will no longer be able to be updated directly on the endpoint. Before adding users to any group, make sure you really want all those users in that particular group. Any exact group membership setting is rolled out to ALL endpoints in that computer group.

Details tab

If a local group is not managed, the Manage Group is set to No. To manage the group, set Manage Group to Yes and click Save Changes, then Yes to confirm. Changes to these settings may take up to 15 minutes to update on your endpoints.

When managing a group, existing members and any that have been added to the policy will appear in the Members table. Users will be added, removed, or ignored based on the configured membership and will be consistently applied across all endpoints in this computer group target. From the drop-down, choose which operation to perform if an account (user) is found on the endpoint. The following options can be selected:

  • Ignore if found
  • Add if missing
  • Remove if found

Using Remove if found for All Other Users and Groups instates exact group membership and Ignore if found cannot be used on individual accounts that are part of that group. Note that, if exact group membership is used, an account that is initially listed as Ignore if found switches to Remove if found as part of the group membership. Individually specified accounts can be set to Add if missing in those groups. Also refer to Non-Managed Local Users in Group Management for details about non-managed users in managed groups.

Once saved, group membership is permanently defined. Updates made directly on the endpoint that break this policy will be immediately reverted.

The last row defines what action to take on all other users and groups. This ensures exact membership can be defined and any other users or groups can be automatically removed.

Statistics tab

The Statistics tab for a local group highlights some quick visual statistics and links you to relevant reports based on key factors like how many computers from your network are included in this group and whether there have been changes made to the group's membership within the specified period. Click on these graphs to drill down into more details.

The reports in the “Related Reports” sections are scoped to only include endpoints in the current computer group. To view reports across all computers, go to the Reports section of the product.

Audit tab

The Audit tab is where you will find an audit record of all membership additions and deletions that have been made to your local groups.

When the agent makes a change to the group based on how the user has configured the group in Privilege Manager, that change is recorded in Audit, as a user is Added or Removed.

statistics

Delete Local Users and Groups

Privilege Manager allows you to delete local User Names and Group Names via the Scheduling function. You can also delete user folders; the Remove User Folders switch (set to Yes by default) deletes the associated user folders in c:\users.

delete

To delete User Names and Group Names:

  1. From the left navigation pane of the Privilege Manager console, select Computer Groups.

  2. From a computer group, select Scheduled Jobs.

  3. Click Create Scheduled Job.

  4. From the Create Scheduled Job window, enter a Name and Description – ensuring each is meaningful and aligned with the task you are scheduling.

  5. From the Client Command drop-down list box, select Local Security Delete Command.

  6. Click Create.

  7. Scroll to the Job Settings section of the page that opens, entering text in the appropriate User Names and Group Names fields. Enter one name per line, pressing ENTER to add multiple entries in one or both fields.

    Neither the User Names nor Group Names fields are case sensitive; however, you must spell each name correctly. For example, entering JOHN DOE, john doe, or John DoE will delete user: John Doe. Entering John Doee will not remove the John Doe user. Also, you cannot append the computer name_domain name to a user name; PMQA1Z-1234-1\JohnDoe123 will not remove the JohnDoe123 user. Similarly, relative to Group Names, entering GROUP ONE, group one, or Group OnE will delete: Group One. Entering Group 1 will not remove the Group One group name.

  8. Accept the default Yes position of the Remove User Folders switch to delete the associated user folders (c:\users). Slide this switch to the left or No position if you do not want to delete these folders.

  9. To schedule the job run frequency, click Add Trigger. Here, you can establish run dates and times, managing the job schedule using Privilege Manager. Alternatively, you can disregard Add Trigger, running scheduled jobs on an ad hoc basis from the agent workstation.

  10. To store your updates, click Save Changes. The Inactive switch appears near the top right of the page. You can slide this switch to the right, activating the scheduled job.