I'm wondering why Option 1 is such a concern? Only someone who has domain admin access should be able to edit the users in the AD group, and if someone with that level of access wanted access to your SQL server, there is precisely nothing you can do to stop them--they always have the recourse of starting the SQL server in single-user mode and adding any logins they want, or just changing your password and logging in using *your* sysadmin account! If you can't trust your domain admins then frankly you shouldn't be employing them.