I do not want domain administrators of a child domain to have direct access to the child DC. The reason is because they could then browse the parent domain AD structure from the child DC. Currently my firewall only allows AD traffice to/from child and parent DC's. Sooo, if they use ADUC from any other system in the child domain they can't browse the parent domain. The child domain admins need full control of child AD to create/edit policies, create/edit OU structure, create/edit users accounts and group memberships.
Ok, I have denied remote control via RDP in TS Configuration. I have set local security policy on the child DC to "Deny terminal services logon" & "Deny logon locally". BUT, they are domain admins... Couldn't someone clever get around this security to gain local access to the DC? If so how can I prevent this?