The question is, if an AD group is created for SCCM Admins, does that AD group need to be added to the local admins group of all SCCM clients?
I just assumed that any SCCM Admin would naturally have local admin rights on, at least, all workstations within an organization's domain and some, if not all, servers.
The ONLY account that I have seen that requires local admin rights on clients is the SCCM Client Installation Account, but I haven't seen anything regarding local admin rights for actual SCCM Admins.
For example, a user who is a member of the SCCM Admins group logs into the site server and tries to run an SCCM Client Uninstall process using the Right Click Tools, they receive an error stating "Access Denied". They then find out that the the SCCM Admins AD group is not a member of the local admins group, therefore they do not have local admin rights on that workstation.
Real Story Here:
An IT Manager thought this was okay to not allow SCCM Admins local admin rights and he thought that when an SCCM Admin is logged into the site server and in the Admin Console (RDP to the SCCM 2012 Site Server) that whatever actions they performed was using the System account of the site server.
To be honest, I've never dealt with this before, because every environment I've seen has SCCM Admins also as local admins on ALL clients.
I appreciate any help the community can offer.
Thanks very much everyone.
Best Answer
If the SCCM admin user or group is a member of the domain Administrators or Domain Admins group then they'll be a member of the local Administrators group as a result of the domain group membership. If they're not then they won't be.