How to restrict Windows 2003 domian administrators from accessing the local resources of client PC's?

You can set up the user so all they have do not have permission to log on to any one elses machine.

You could start by setting the NTFS permissions so only they have rights to the file or folder.  Then you could incorporate encryption if you want to take it a step farther.  

Edit the local "users" and local "administrators" group on each PC to contain only the domain users and administrators that you wish to have access to that machine.

Tlowerj : How ?
nsx106052: NTFS restrictions are to be set on individual computers and in a domain model they may be overwritten by Admins. Encryption is the last option which i am considering. I want something domain based  withing Windows 2003 server capabilities. (Policy based)

If you goto Active directory users and computers click on the user goto properties click on account then click Log on to.  You can limit the machines there.

superiz: Can this be done by some domain policy or a script ? or each system has to be configured independently ?

tlowejr: But a domain admin can always modify that

Yes there is really no way to lock a domain admin out of a computer.  You can give them lower permissions.

Short of encryption there is no effective way to keep someone in the Domain Admins group out of anything using built-in tools.  They can undo any Active Directory changes and take ownership of any files protected by NTFS permissions.  Auditing can make it more difficult but not impossible for them to cover their tracks.

It's usually a bad idea to store data on workstations to begin with, as it makes backups problematic.

This example removes unapproved members from local adminintrators group:

strComputer = "."
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser In objGroup.Members
    If objUser.Name = "Unapproved1" OR objUser.Name = "Unapproved2" Then
        objGroup.Remove(objUser.AdsPath)
    End If
Next

Although the script will work, it is somewhat of a useless idea, since the domain administrators could simply reset the user's passwords to gain access, or even decrypt the user's password to secretly gain access. You either trust your admins or you don't. If you don't, then you probably shouldn't be using a domain security model in the first place.

I would say this is not a mater of trust but a "need to know scenario"

Yeah but you should trust they will not go in there.

Some times trust is simply not enough , and beside the whole security models usually are developed due to mistrust  :) if we can trust to this level them life will become very much simpler specially in IT

So long as you understand that the whole idea it is not "rock solid",  I forgot to mention that the script type is vbscript. Is there anything about it you need clarification on?

Thanks :)