I am trying to create a fixlet to check for a Domain group that is added to the local administrators group on the local machine. If the group does not exist it will add it.
Just wanted to warn you about our experience with doing this.
We’ve done something similar and in our experience, when a bes client is disconnected from the domain, the relevance below always returns true because the group name is not returned but instead the sid / guid is returned. So what ends up happening, if you deploy as a policy action, is the policy runs over and over. Not a huge issue, but a bit of an annoyance.