Local Admin Group

(imported topic written by Rooskie91)

I am trying to create a fixlet to check for a Domain group that is added to the local administrators group on the local machine. If the group does not exist it will add it.

What would be the best way to go about this?

(imported comment written by cstoneba)

exists members whose (it as string as lowercase contains "groupname") of local group "Administrators"

(imported comment written by SystemAdmin)

Just wanted to warn you about our experience with doing this.

We’ve done something similar and in our experience, when a bes client is disconnected from the domain, the relevance below always returns true because the group name is not returned but instead the sid / guid is returned. So what ends up happening, if you deploy as a policy action, is the policy runs over and over. Not a huge issue, but a bit of an annoyance.