Hey guys. My infosec team is in the midst of their audit, and they're needing to use some software to gather data for this, and that requires that some software agents be installed on my DCs. Long story short, I need to allow a member of the infosec team to RDP onto my domain controllers to install this stuff. I normally would do it myself, but, again, this is a long story, the infosec team needs to do it themselves.
So, I need to allow one of them RDP access, and give them the ability to install software on my DCs, but I need to shield them from being able to access ADUC, DHCP, DNS, etc... so that my boss doesn't have another stroke.
This can be a pretty hairy situation, but I don't even know what to ask 'the oracle' to find a best practices guide or something for provisioning this. Any ideas?