I have a Windows Server 2008 R2 domain. Due to security requirements, we need to prevent any Domain Admin or Enterprise Admin to install new PKI platform in the domain.
As you know, an administrator with this privileges by default can create new PKI's architecture. We need to block this behavior.
Can you help me to meet this requirement without remove the administrative accounts from these groups?