Hi

This may seem a bit cumbersome when you initially think about it,
but :

The reason 'allow' is fine on the stand-alone file fileserver is because
of physical security. Is it possibly to provide a similar facility in the 
context of the general purpose system ? Maybe the use of smart cards
might be a solution. At system configuration time, you config the 
system to recognize the bearer of a particular card as the admin.

Whenever you need to admin the system, insert the smartcard, do
stuff, pull it out, capability gone. 

just a thought.
-
pip