In my opinion: yes and yes. I just don't like adding user accounts, I prefer to use groups. Also helps with RBAC.
Thanks Webster > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Dave Lum > Sent: Thursday, November 06, 2014 10:36 AM > To: [email protected] > Subject: [NTSysADM] Local admin account > > I have an AD service account I want to make local admin on just 5 SQL > servers. Should I create an AD group for it and stick this one account in it > then add this group to local admins on those five machines? If I do that > should I create a GPO to add the group to the local admins on those servers? > > * I don't expect this group membership to change > * I don't expect this server list to change anytime soon (>1yr) > > The current framework is that I have the account created and the AD > description is "Used for the <blah blah blah> service on <Server1>. Also, see > notes under telephones tab" > In the Telephones notes tab I list out the servers the account is local admin > on > > We don't currently use any products other than Outlook where non-admins > can see AD account attributes, but it still feels like a poor way to document > where this account is local admin. > > I do prefer being able to look in AD to see where accounts have access, be it > NTFS or being local admin on specific servers - I don't want to have to query > each system itself to know what's local admin on it or not... > > Comments? > > >
