Software build processes – Dependencies without admin privileges

we have the following problem and I would like to hear your opinions for this case:

Currently several users are working with domain accounts which are in the local admin group (Yes, shame…)

You need this for build processes, because you have to work on certificates in the user store (with private keys, not exportable) as well as the Windows Credential Store. Additionaly there is a need to move certificates.

Now the environment should be made more secure and the domain accounts should be removed from the admin group. The users should get a local admin account to be able to use it for starting the application in the admin context.

Now the users have no possibility to access the user store (certificates and credential store), because the application runs in a different user context.

According to the people it means a considerable additional effort to adapt the build processes. Furthermore, the storage of certificates in the machine store is not considered safe.

What is your opinion? Can this be solved in a smart way?