We have a user who administers our SQL server. He currently has the domain admin user account. We would like to restrict him to the SQL server and a shared folder on another server. What is the best way of loking him out of all other functionality. He will probably need to log in via RDP.