We have two administrators who are responsible for maintaining a machine running Windows 10. Both administrators need to have the ability to install any software on the machine (including software that requires admin privileges) and make system changes.
However, the account of admin A (the "super-administrator", if you will) must be off limits to admin B.
By default, windows allows administrators to change passwords of any other user including another admin user. Hence nothing stops admin B from removing/changing the password of Admin A, and signing into his account that way.
If we create 2 standard-user accounts, the admins will be unable to take actions that require admin privileges. If we simply create 2 admin accounts, admin B will have the ability to access the account of Admin A.
Having said that, what is best way of creating this type of set up?
For example, is there a way to create an admin user that has access to most admin privileges, but not the privilege of modifying other user accounts?
Note that in the event of a breach, it will not be sufficient to identify that admin B has illegally signed into the account of admin A, as there would be no way to "take back" stolen data. Hence our aim is to prevent this situation from occurring in the first place.