I have an AD service account I want to make local admin on just 5 SQL servers. Should I create an AD group for it and stick this one account in it then add this group to local admins on those five machines? If I do that should I create a GPO to add the group to the local admins on those servers?
* I don't expect this group membership to change * I don't expect this server list to change anytime soon (>1yr) The current framework is that I have the account created and the AD description is "Used for the <blah blah blah> service on <Server1>. Also, see notes under telephones tab" In the Telephones notes tab I list out the servers the account is local admin on We don't currently use any products other than Outlook where non-admins can see AD account attributes, but it still feels like a poor way to document where this account is local admin. I do prefer being able to look in AD to see where accounts have access, be it NTFS or being local admin on specific servers - I don't want to have to query each system itself to know what's local admin on it or not... Comments?
