This is more likely a security question but since there are huge number of MVP's here, I am going to shoot.
A third party company had made a contract with our company to impelemnt their CITRIX solution in on of our child domains. At first these guys were in need of domain admin account but I did refuse to allow them and instead delegated them appropriate rights in their domain. However the next day I found out they are reverting the ACL to default and keeps getting enormous access they want by adding themselves to DA group.
I should say that DC's are located in their office with their local access and they can simply shut down DC's and do etc. basically this is a mess! and the point is that management team (Big guys of company) are OK with these actions. Seems like they highly trust each other..
I was thinking to run a script from a remote computer which Get domain admins and administrators group members and remove them from DA group. This script will be scheduled to run each 3 minutes for example and I believe it has the lowest amount of foot prints when there is no audit available.
What do you think toward this?