I'll explain what I meant...The builtin administrators group is, I believe,
a domain local group; meaning this is the domain local admin group. The
domain admins group is added to all domain members local administrator
group -giving the domain admins group full control over all computers and
servers in the domain. The Domain Local groups you see on DCs are a kind of
local group to the DC -but to all DCs. The administrators group doesn't get
added to the member servers and PCs administrator group therefore is only an
administrator on DCs.
Regarding only allowing installation rights, I'm not sure of how to do that
without making them administrators. I suppose, if you were to make them
power users, and then give them write access to the HKLM hive that may do
it, but I wouldn't advise such a method.
Paul.
___________________________