KEEP ADMINS OUT OF THE SERVER

Occasionally, network administrators may inadvertently get into the SQL
Server. To restrict access, use NT authentication to deny the NT global
group that contains their access to SQL Server. Begin by adding the NT
global group to the DBAs that are members of the SQL Server's sysadmin
server role. Additionally, drop the BUILTIN\Administrators login. Use 
the
following script to do this:

--Add to the sysadmin SQL Server role the NNT
global group to which the DBAs are members.

exec master..xp_grantlogin @loginame =
'DomainA\DBATeam', @logintype = 'admin'

--Deny the NT global group that contains thhe network administrators.

exec sp_denylogin @loginame = 'DomainA\NetworkAdminTeam'

--Revoke the BUILTIN\Administrators login.

exec master..xp_revokelogin @loginame = 'BUILTIN\ Administrators'

Using NT authentication, the sp_denylogin will restrict any member of
the NT group from logging in to SQL Server. If network administrators 
use
different NT logins for server administration, then dropping the
BUILTIN\Administrators login will keep the back door closed so that 
they cannot
access the SQL Server. If there is no NT group for network 
administrators,
substitute the NT username with the NT group name to deny the user's
login when accessing SQL Server.

----------------------------------------