What does SBS 2011 do "under the hood" when you give a user admin access?

I have been using Windows Server for many years now and when I have someone who needs local admin access over their machine, I apply it through group policy in a similar way to this answer.

One of my clients has SBS 2011, and, one of the features that is actually surprisingly neat is the user management and how easy they make giving a user local admin access:

enter image description here

After doing this, I was trying to hunt around for ages in order to see what it was actually applying "under the hood", but, I failed - I couldn't see any linked policies. settings or options anywhere that is applied.

Does anyone know what SBS 2011 actually does when you change the Access level of a user, and is there anyway to easily replicate this on non SBS Windows Server?


The SBS server adds the domain account to the administrators group on the local computer. It accomplishes this via a WMI call to the selected computer from the SBS server that places the account in the local administrators group.

A method to accomplish this yourself via PowerShell would be:

Function Add-DomainUserToLocalGroup
{
    [cmdletBinding()]
    Param(
    [Parameter(Mandatory=$True)]
    [string]$computer,
    [Parameter(Mandatory=$True)]
    [string]$group,
    [Parameter(Mandatory=$True)]
    [string]$domain,
    [Parameter(Mandatory=$True)]
    [string]$user
    )
        $de = [ADSI]"WinNT://$computer/$Group,group"
        $de.psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path)
} #end function Add-DomainUserToLocalGroup

Code sourced from the scripting guy blog.

This can be replicated from a non-SBS server so long as the computer you are adding the user to is a part of the domain, the user exceuting the command has permissions to add a local administrator, and has the firewall exceptions for "Windows Remote Management" are enabled for the network the command would originate from.