Here’s a neat thing I’ve just discovered. When you add a new “Administrative User” in Configuration Manager 2012 and assign them to a security role, that user or group is automatically added into the local “SMS Admins” group on all servers.
Removing the user/group will also remove them from the local SMS Admins group. So now that’s one less headache to worry about when it comes to giving permissions to the SMS Provider for console access and scripting.
This is a hierarchy wide thing as well, so it doesn’t matter where you set it, it will apply for all servers, and will set it on all servers automatically.