So you cant log onto a domain controller as a local admin.
I think you can make a group a member of local adminstrators via group policy and this will allow you to log on locally to a DC and install software – but i’m pretty sure it also gives you to access AD/DNS/DHCP/ETC.
I want to give a group of users the ability to log on locally and then install software and access ADUC.
I dont want them to have the ability to edit DNS or DHCP.
Can anyone think of a clean way of allowing this that doesnt involve too much hacking?