Windows Server 2008 has provisions for this situation. Basically any users including an admin can lock themselves out of any object; however, users who are also members of the administrators group can assign ownership back to the domain administrators group, allowing any member (including the original owner) to modify the ownership of the object.

If you are a member of the administrators group, even though you can lock yourself out of being able to change permissions or see an object, your other rights will allow you to correct the action.

With these new features, it is likely that business policy and IT security policy will become a bit more closely related and work a little better for everyone.

[http://blogs.techrepublic.com.com/networking/?p=1379]