In windows 2000/2003, Can we restrict a BuiltinAdministrators member to have just enough rights so that he/she can only create/delete domain Trust.
The requirement that we have is to be programmatically create trust with all the domains in a given forest. The other part of the requirement is to maintain the created trusts (i.e. recreate the trust if it is broken for some reason) and to keep creating trusts for domains that are newly add in the forest. For this task our understanding is that we will need an Enterprise Admin but some of our customers may not be comfortable giving us the Enterprise Admin credentials so we want to create a user who is only able to create Trusts but nothing else. During our reserach we have come to a conclusion that we can not create trusts with a domain unless the used creantials belong to the member of the buitlinAdministrator group in the domain. hence the requirement to cripple a member of Administrators group so that it can only create trusts.