NEW Managing DC'swithout Domain admin

[authoring]

Hi -
We have a domain where Domain Admins do not have local admin on every system in the domain, only on DC's. We have created a separate group that has local admin everywhere, which is where my SCCM service account has membership. I can deploy clients and updates/apps, etc. to all my clients just fine, I just can't manage the Domain Controllers now under this setup.

Is there a way to separate management of collections or deployments out to different accounts? This is a pretty common security posture so I gotta believe there's a way..

 

[authoring]

I guess I should elaborate a little;
so because my sccm service account is not a member of Domain Admins, it can manage all the rest of the clients just fine, just not Domain Controllers. When trying to push applications or software updates to the DC's, I get an access denied error.
Thanks in advance -

 

[Youssef Saad]

You can add a network access account (your domain admin) in your distribution point.

Go to Administration -> Site Configuration -> Sites and select the server on the right side -> Go to the ribbon Settings -> Configuration Site Components and choose for Software Distribution -> Click on the tab Network Access Account -> Change here your Network Access Account and set a new account (domain admin)