To start, this is a school related problem not real world.
I currently have an exploration learning class where my team and I planned and are currently building our own network from the ground up.
We have installed server 2012 as our DC and just had our teacher tell us we are required to make him a domain admin account, BUT we are supposed to lock down the account so he can't make trouble or do anything like deleting important server files, make new user accounts, etc.
Everything I've found so far says no matter what we do to his account he will just be able to undo it anyway. In the real world you wouldn't give a hacker domain admin rights, but this is a requirement of our project so it is what it is.
I just don't know if we've been sent on a wild goose chase and he is just using this to make us look at/research security issues.
Any help would be appreciated.