Windows: disable remote access of local drive, even by domain admin

This post, from the Technet forums, by Yan Li explains it easy enough:

Only the Administrators group have access to the administrative shares, please go to the Administrators group and remove the desired users and groups that you do not what to have access to the administrative shares.

For multiple client PCs, you could on one of the machines and disable them as stated below, export the registry key and then in a GPO import it.

Disable the default shares:

Windows open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways.

One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted.

The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:

Share:

C$ D$ E$

Path and function:

Root of each partition, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders.

Still, it isn't good practice to do this. You are preventing access to things that should be accessible for a domain admin. It's akin to changing the locks on your apartment so your landlord can't get in.

Use encrypted volumes with a 3rd party encryption utility like TrueCrypt.

This is the only way to prevent an admin from having access to data it should not have. It is sufficient against an honest admin, but it is not sufficient against a malicious admin, which could still install key-loggers or use remote access tools to view the volume content while a volume in unlocked.

As for those wondering why you would want to lock out an admin from the data, it is just BAD PRACTICE that by default, admins have access to any kind of confidential data, be it financial data, personal employee details, research data, etc. They should not.

Part of an IT administrator's job should be to make sure that no single administrator account being compromised will lead to the intruder having full access to all the company data.

Is there a written company policy about who, and why any particular information is to be accessed on a networked computer, and why this particular info needs to be on a networked computer in the first place? If this is data is for this office only, why not budget a extra laptop or use an old "offline" computer that can be only accessed in the actual office? A laptop in the safe can't be easily stolen or accessed. Fires, flooding, tornadoes, hackers in China, India etc. Then connect it only when you have to.