9

I have been using Windows Server for many years now and when I have someone who needs local admin access over their machine, I apply it through group policy in a similar way to this answer.

One of my clients has SBS 2011, and, one of the features that is actually surprisingly neat is the user management and how easy they make giving a user local admin access:

enter image description here

After doing this, I was trying to hunt around for ages in order to see what it was actually applying "under the hood", but, I failed - I couldn't see any linked policies. settings or options anywhere that is applied.

Does anyone know what SBS 2011 actually does when you change the Access level of a user, and is there anyway to easily replicate this on non SBS Windows Server?

Community
  • 1
William Hilsum
  • 3,506
  • 5
  • 28
  • 39

1 Answers1

3

The SBS server adds the domain account to the administrators group on the local computer. It accomplishes this via a WMI call to the selected computer from the SBS server that places the account in the local administrators group.

A method to accomplish this yourself via PowerShell would be:

Function Add-DomainUserToLocalGroup
{
    [cmdletBinding()]
    Param(
    [Parameter(Mandatory=$True)]
    [string]$computer,
    [Parameter(Mandatory=$True)]
    [string]$group,
    [Parameter(Mandatory=$True)]
    [string]$domain,
    [Parameter(Mandatory=$True)]
    [string]$user
    )
        $de = [ADSI]"WinNT://$computer/$Group,group"
        $de.psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path)
} #end function Add-DomainUserToLocalGroup

Code sourced from the scripting guy blog.

This can be replicated from a non-SBS server so long as the computer you are adding the user to is a part of the domain, the user exceuting the command has permissions to add a local administrator, and has the firewall exceptions for "Windows Remote Management" are enabled for the network the command would originate from.

Persistent13
  • 643
  • 3
  • 13
  • Thanks, and this is really cool - but, are you sure this is how it actually does it (and then I guess store in a local DB/similar)... I ask because it works even when the pc is offline and I am not sure any sort of update such as this would get a chance to run. I'm curious if this is just a method of accomplishing it, or if this is the method that SBS actually uses as that article doesn't mention SBS at all. Still, very good and thank you. – William Hilsum Sep 26 '15 at 18:47
  • Thanks for the info, this definitely happens - I can see it in "Active Directory Users and Computers", navigating to the computer in question, right-click>Manage, and then go to "Local Users and Groups". The user is in the "Administrators" group of that computer. BUT: Removing it in this console doesn't remove the setting in the SBS console. Also, the SBS console states that the settings are applied with next GPO sync. So there must be a GPO which (one-time?) applies this setting ("Add domain user X to local 'Administrators' group") on e.g. next reboot. – Nico R Feb 05 '20 at 12:25