Reasons and security ramifications aside this is just a quick note on how to control Local Administrators group membership on a DC. So if you try to use lusrmgr.msc on a DC you it will open you Local Users and Groups console with a red cross and warning in central pane:
“The computer %DC_NAME% is a domain controller. This snap-in cannot be used on a domain controller. Domain accounts are managed with the Active Directory Users and Computers snap-in.”
Well thanks for letting me know, but I need to manage this anyway 🙂 So to command prompt.
Issuing this:
net localgroup Administrators
will list current local Administrators group membership.
And using following syntax we can add members to local Administrators group:
net localgroup Administrators /add domainuser_name
There used to be nice video on YouTube showing all this, but this one seems to be no longer available.