Managed Accounts added to Local Administrators


Is it normal to have all of the managed accounts added to the local Administrators group? I configured the script to create all of the managed accounts I will use on the farm (Excel services, Visio services, Search, etc...), but when the batch file gets to the part where it creates the managed accounts, it adds all of them to the local Administrators group. Is the script supposed to do that??


brianlala wrote Oct 14, 2013 at 2:33 PM

It's normal, but supposed to be only very temporarily. The script is supposed to add each managed account to local Administrator, log in temporarily with each (in order to create a Windows user profile), then remove each account from the Administrators group.

Are you finding that the accounts are not being removed from the Administrators group? Or were just looking for the explanation above?


SikeMullivan wrote Oct 17, 2013 at 1:08 PM

The script didn't remove the managed accounts from the admin group for me either. Just pulled down the scripts about a week ago.

Great stuff though man. : ) Thanks!

brianlala wrote Oct 19, 2013 at 1:33 PM

I've noticed the same thing, not sure why it's happening. I've seen in cases where the script crashes half-way through, if the accounts get stuck in the Admins group, they'll never get removed because we only remove accounts that were just added temporarily to the Admins group - any accounts that were already there will remain (in case we intended for those accounts to be local Admins).

I have added some more verbose logging to that section of the script which will be included in the next release, to try to determine where the problem is exactly.