use group policy to assign a special group , such as helpdesk, to assume local-admin right for all workstation in a OU, whilke keep domain admins and original administrator in the same control level.

It need to create a GPO and apply to this OU. The modification of this GPO is to go to computer setting\windows setting\security setting\restricted group, and create an in group called "administrators" and include "administrator, < >\domain admins, < >\helpdesk " . The trick is to udderstand the name specified above is used like leg for leg, hand for hand. No more, no less. It carve out the exact setting. If you miss out the domain admins group, you won't find it later. I have a lesson for this when I work for Yak in 2006. This is very tricky, very easy to make mistake.


http://www.windowsecurity.com/articles/Using-Restricted-Groups.html