I need some good advise about the following situation. I have two users in our company who are currently Domain Admins. Neither one of these guys should have these rights, but I have not figured out a way to give them what theey need without giving them these priviledges. Here is what they need to do:
1. Modify workstations; load software, add and remove from AD.
2. Access only those servers that pertain to their specific areas of the company - I want to give them access, but not the ability to manipulate the system (i.e. load software, etc).
3. Change user properties in the AD.