Je suis looking to créez unn account similaire to a Domain Admin, mais sans access to domain controllers. In autre words, this account will have full Administrator rights to tout client machine in le domain, be able to add machines to le domain, mais have seulement limited user rights to le servers.
This account will be used by a person in an end-user tech support kind of role. They should have full access to client machines for installing drivers, applications, etc... mais Je ne want them on le servers.
While I could probably throw something together myself via policy, it'll probably be messy so I figured I should ask: Quel est le proper way to go about this?
