Firstly, I wasn't laughing at you, I was laughing at Gails response!

Secondly, simply having Group Policy Editor is not the opportunity that people look for to hack into a system of any kind. It is the permission to edit the Group Policy itself that causes the problems and if you have Domains Admins that are likely to abuse that right then you problem is bigger than you think.

If you think Windows 7 security is laughable then perhaps a better understanding of Active Directory and Group Policy Management is necessary. Laughable for me is someone has decided to place a production (I assume) database on a laptop and the admins did nothing to stop it! It is a database service and deserves more respect than that.

Above all, use the concept of minimal privilege. It is true that if someone really wants to get in, they will. But that is not the get out clause for admins that distribute admin passwords to all and sundry and not the excuse to use for not understanding the (admittedly) complex security mechanisms that will protect your organisation.

The bottom line: Get a new box for the database, even if it is only a good PC!