|I'm looking to create an account similar to a Domain Admin, but without access to domain controllers. In other words, this account will have full Administrator rights to any client machine in the domain, be able to add machines to the domain, but have only limited user rights to the servers.|
This account will be used by a person in an end-user tech support kind of role. They should have full access to client machines for installing drivers, applications, etc... but I don't want them on the servers.
While I could probably throw something together myself via policy, it'll probably be messy so I figured I should ask: What's the proper way to go about this?