Hello,   I am trying to figure out the best solution for Separation of Duty, when it comes to Server Access. 

Example would be:

Domain Admins: have admin Privileges for "Dept A" and "Dept B"

"Dept B", only wants  Domain Admins to have Maintenance a function,  such as;  Updates, Reboots, Backups,  just basic OS operations stuff 

the Servers in "Dept B" may have files that "Domain Admins"  shouldn't have access to certain files, DB's, etc..

thank you for your help.

On Fri, 20 Feb 2015 16:16:13 +0000, Semperfi4000 wrote:

Servers in "Dept B" may have files that "Domain Admins"  shouldn't have access to certain files, DB's, etc.

Restrict Domain Admins? That really isn't possible

Hi,

The way direction is to find a suitable user group for these accounts instead of simply add them into domain admins group and trying to restrict later.

In following article it provides all default groups in Windows.

https://msdn.microsoft.com/en-us/library/bb726980.aspx

You can compare with your requirement to add those users into a different group such as "Backup Operators" or "Server Operators".