Possible Duplicate:
Dealing with untrusted administrators in a Windows domain
I'm trying to block Domain Admins from accessing classified files on PCs that joined the domain. But it looks like impossible tasks, since they could easily bypass any restrictions or auditing set by other admins.
First thought was to grant only needed privileges to all adminis, but that wasn't a trivial task, I'd take it as the last resort.
So, any suggestions?
A domain admin has full rights over the network. They can change anything as they see fit.
I draw your attention to the following law:
Immutable Law of Security #6: A computer is only as secure as the administrator is trustworthy.
If you don't trust your domain administrator, don't make them a domain administrator, or hire a new domain administrator that you trust.
If you really need to keep certain operational documents secret from the domain admin, don't put them on the network. Keep them in an encrypted container (e.g. TrueCrypt volume) outside of the network.
