I would always add the user to an AD group and add the group to Administrators, as you said. But since it's only 5 machines, as opposed to a whole OU of machines, it doesn't seem like it's worth using a GPO that will need to have security filtering maintained.
If enforcement of either the Administrators groups or the AD group is needed, this type of Restricted Group doesn't really provide that. (This is sometimes called a "reverse restricted group" because instead of restricting the users who are in a group, you are designating a group that must be a member of another group.) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dave Lum Sent: Thursday, November 6, 2014 11:36 AM To: [email protected] Subject: [NTSysADM] Local admin account I have an AD service account I want to make local admin on just 5 SQL servers. Should I create an AD group for it and stick this one account in it then add this group to local admins on those five machines? If I do that should I create a GPO to add the group to the local admins on those servers? * I don't expect this group membership to change * I don't expect this server list to change anytime soon (>1yr) The current framework is that I have the account created and the AD description is "Used for the <blah blah blah> service on <Server1>. Also, see notes under telephones tab" In the Telephones notes tab I list out the servers the account is local admin on We don't currently use any products other than Outlook where non-admins can see AD account attributes, but it still feels like a poor way to document where this account is local admin. I do prefer being able to look in AD to see where accounts have access, be it NTFS or being local admin on specific servers - I don't want to have to query each system itself to know what's local admin on it or not... Comments?
