I am trying to use the Built-In “Group” resource to add a domain account to a local group on the server being configured. This appears to require that because I am adding a domain account to the local group (as opposed to a local account), I MUST set the “Credential” property in order to do this. There is the following note for the “Credential” property in the TechNet documentation:
“This account must have the appropriate Active Directory permissions to add all non-local accounts to the group; otherwise, an error will occur.”
What I am not sure about is which account to use. While I got it working using my own domain account while testing, what should be used when configuring actual servers? If I used my account, what happens when I need to change my password, as the value encrypted in the .mof will no longer work, requiring all server configurations to be updated?
Because the domain account is being added to a local group, it would seem that all that is required is admin rights on the server to do this. Given that the LCM runs as “System”, wouldn’t it have the rights is needs?