Manage administrator rights in Windows Server 2003
We want to limit the current system administrator tasks. For example, we don't want users to be able to delete some files locally, even if that user has administrator's rights. Can Windows Server 2003 support this?
You can explicitly limit any administrator's rights to read, modify or delete files just by setting standard NTFS security. For example, you can set the DENY permission on a file or folder to the Administrator account or the Administrators group.
However, be aware that administrators will always have the ability to take ownership of a file or folder and modify permissions as they see fit, thus granting themselves the privilege that was originally denied. (You can enable auditing on folders so at least this type of action will be recorded in the Security log.)
This was first published in February 2008