user with readonly access to domain controller
1. Create domain global group (you will place your user in this group
instead of Domain Users, because Domain Users already has some
2. Create your user.
3. Change primary group of your user to group created at first step.
Stop membership in Domain users group.
4.Open ADSI Edit (you need Support tools installed), run adsiedit.msc
5. Select your domain root (dc=<some>,dc=<domain>,dc=<name>). Open
properties menu, navigate to security tab. Press advanced. Add your user
and give him rights whatever you want.