I have a number of windows servers (mostly windows server 2008 ) which are placed in DMZ and are not in the active directory. We use a third-party password management solution for active directory joined servers. The idea is to use one account on each server which is NOT an administrator but has rights to change/reset the password of all other local users on the server including built-in administrator. None of the other users should have permissions to reset/change the password on the server. Any suggestion, such as, local policy, local rights, powershell scripts etc which can help achieve the desired results?