We do something similar. Add the desired account(s) do a group, use a GPO to
make that group local admin. You can restrict the scope of the GPO by either
security group or individual machines, whichever you prefer, but I'd create
both SpecialTaskUsers and SpecialTaskComputers groups. Use the Computers
group to scope the GPO and add the Users group in the GPO.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Dave Lum
Sent: Thursday, November 06, 2014 11:36 AM
To: [email protected]
Subject: [NTSysADM] Local admin account
I have an AD service account I want to make local admin on just 5 SQL servers.
Should I create an AD group for it and stick this one account in it then add
this group to local admins on those five machines? If I do that should I create
a GPO to add the group to the local admins on those servers?
* I don't expect this group membership to change
* I don't expect this server list to change anytime soon (>1yr)
The current framework is that I have the account created and the AD description
is "Used for the <blah blah blah> service on <Server1>. Also, see notes under
telephones tab"
In the Telephones notes tab I list out the servers the account is local admin on
We don't currently use any products other than Outlook where non-admins can see
AD account attributes, but it still feels like a poor way to document where
this account is local admin.
I do prefer being able to look in AD to see where accounts have access, be it
NTFS or being local admin on specific servers - I don't want to have to query
each system itself to know what's local admin on it or not...
Comments?
