Background information:I'm working on using Powershell DSC for some machine configuration across several machines. One aspect that DSC is used for is granting domain users local administrative access as needed.
Previously, this was being done by ensuring the user was part of the local Administrators group. However this DSC way of doing this would trigger a non fatal error being logged:
Group Administrators
{
GroupName = "Administrators"
Ensure = "Present"
Members = @("Administrator", "DOMAIN\user1", "DOMAIN\user2" )
}
The error logged is "Exception calling "Save" with "0" argument(s): "Cannot perform this operation on built-in accounts."
What is happening is that DSC would attempt to rebuild the group from scratch and Windows would properly try and protect the local Administrator account from being pulled from the Administrators group. Again, not a fatal error, however it complicates DSC troubleshooting since an error is logged that everyone needs to know to ignore. I'd rather stop generating the error. There's some discussion around this
on GitHub with a forked version of the DSC resource. The fix is that the DSC group resource will be only removing and adding people if the group already exists instead of removing everyone and rebuilding it. However it's not clear when this fix will migrate from the open source side and into a patch for DSC 2.0.
Even when this bug is fixed though, it doesn't solve another issue I realized was happening with the setup. Our domain admins might add a new user or group to the local Administrators group via group policy or similar. If the additions they make aren't mirrored in the DSC scripts my group uses, it results in a sort of tug-of-war on the box with DSC removing entries and GPO or something else adding them back.
Attempted fix for both issues:As a fix to both the non fatal error and the possible tug-of-war, I figured I'd instead have DSC manage a separate local group, and flip the above code to look like this:
Group GroupAdmins
{
GroupName = "GroupAdmins"
Ensure = "Present"
Members = @("DOMAIN\user1", "DOMAIN\user2" )
}
Group Administrators
{
GroupName = "Administrators"
Ensure = "Present"
MembersInclude = "GroupAdmins"
DependsOn = "[Group]GroupAdmins"
}
This way the GroupAdmins contains the users from my group needing admin access, and DSC will ensure the GroupAdmins group is added to the local Administrators group. No more tug-of-war, the domain admins can add who they want without it needing to be added to our DSC scripts, and our group has the access they need on these boxes.
DSC worked and the GroupAdmins group was created and added to the local Administrators group. No more non fatal errors from DSC, however...
The problem:Anyone in the GroupAdmins group ends up not having admin access. "whoami /priv /user" from an administrative command prompt shows a reduced set of privileges, and access to things like the \\Machine\C$ share is denied.
This is being seen on both Windows 7 and Windows 10.
Is there something special that needs to be done to ensure a local group on Windows added to the Administrators group is granted admin access? Domain groups added to the local Administrators group appear to correctly have admin access as expected, it's only the local group added that isn't working.