We are setting up McAfee SIEM in our environment to tail the DNS log files on our DNS servers which are also DC's. The application requires the service account to be a local admin but of course "local admin" does not exist on a DC... I did find the article below on using the Netlocal group command....
I tried this in my lab and did add the test user to the local administrator group. Here are my questions
What actual rights would this user account have in AD and on other DC?
http://www.richardawilson.com/2010/06/add-user-as-local-administrator-on.html
I would say export the logs to a network share and have the McAfee seem consume them from that location. This is very common for other solutions like Splunk as well. Otherwise look at installing their agent if they have one on the DC which would usually run with system privileges.