Users are often added to the local "Administrators" group on servers or PCs to give users admin rights on the corresponding computers. Although this is the easiest way to configure admin rights for a user account, it is unfortunately easy to lose track here.
Here is an example of the members of the local administrator group of a server:
The users Admin01 and Admin02 therefore have admin rights here. The disadvantages of this method are obvious:
- If an additional user is added, this user must be entered on all servers where the corresponding rights are required
- If another server is added, all users must be entered accordingly
- If a user leaves the company (example Admin01) and the account is deleted, corpses remain in the local admin groups
- It is almost impossible to see on which servers which user has admin rights
Here is an example of one of these corpses:
It is therefore usually easier to work with groups. An AD group can be created for each server, which is then added to the local "Administrators" group. This makes it possible to find out which user has admin rights on which servers via the memberships in AD. These server admin groups can also be combined into roles. For example, if there are 3 file servers, the server admin groups (e.g. FS1_Admins, FS2_Admins, FS3_Admins) can be combined via a further group "FileServer_Admins". A new user then only needs to be added to the "FileServer_Admins" group in order to receive the corresponding authorizations on all 3 file servers.
In smaller environments, this procedure can usually be implemented quite well, but you rarely start from scratch. So if you want to use corresponding admin groups per server, you have to touch the existing memberships of the local administrator group at some point and convert them into group memberships.
To avoid having to do all this manually, I have created a small PowerShell script. The script runs through all computer accounts of an OU and creates corresponding admin groups for each computer account. All local admin users then end up in the newly created groups. The new group is then only added to the local Administrators group and the users are removed from the local group. This saves a lot of work.
To give you a better idea of how the script works, I have recorded a short video:
As can be seen in the video, 3 lines must be adapted in the script. The variable "ServerOU" specifies which OU is to be searched for computer accounts. The script then runs through all computer accounts in this OU. "SMBDomainName" is the NetBIOS name of the Active Directory. "GroupOU" specifies the OU in which the new groups are to be saved. For the script to work, access to the computers must be possible via WMI.
The script can be downloaded here:
