Hi,

I couldn't find an answer on the net, however apologies if this has
already been posted somewhere.

The situation is this, we are running SBS 2003 Premium (using SQL
server). For several years I have been the sole domain admin, however
now I can't allocate enough of my time to carry out all domain admin
tasks.

Therefore I would like to allow one of our users, who is IT literate
to help me manage the tasks of adding new users, setting up computers
for users, recovering lost passwords, unblocking locked accounts etc.

However if I create a new domain admin account for him to use for this
purpose, how do I restrict the following:

1. Gaining Access to folders of company directors - I could put a deny
right against the folders, but couldn't he just take ownership of the
folder?
2. Deleting users from the system?
3. Accessing an sql server table containing employee salaries? - again
I can put a deny right but couldn't he override this?

The above may sound paranoid, as I do trust the employee, however I do
need to ensure I undertake due diligence with company IT security.

Any help would be appreciated.