river1 (2/1/2010)
Hi GurusI have a problem.
I need that the Domain Admins from a client company can not access the SQL Server 2005 that we have installed there.
As domain Admins they are local administrators of the OS (w2k3) on the box where SQL Server is installed.
It is not possible to both have Domain Admins with access to the OS and keep those same users out of the SQL Database.
Having access to the OS allows you to do almost anything. Including creating a SQL SA acct which can then be used to log in and query to your hearts delight. (MSDN recommends this in the case the other posters warned about, getting locked out). http://msdn.microsoft.com/en-us/library/dd207004.aspx
I believe the best you can do is make it auditable by only granting OS permissions to functional accounts that must be checked out by the admins when they need them.