Delegate non-domain admin group to workstation

My recent work allow me to watch how Helpdesk works on the workstation deployment. It is a large enviornment, so helpdesk group don't have domain admin right, but they still need full admin right to user workstations, so there is a need to add domain\helpdesk group into each workstation, not the servers.

Here is their ways because they use disk cloning to complete OS/APP installation.

1. join in the domine, and add domain \helpdesk group into this local admin group of this workstation
2. remove this workstation from the domain; a unknown user account will show in local admin group, do NOT delete this one
3. clone this workstation
4. join the new workstation into domain, and this unknown user account will become domain\helpdesk group.

I know I can use restricted group in group policy computer setting to delegate a non-domain admin group to workstations, but the process is tricky and easy to make very serious problem, such as removing domain admin group from each workstations.

The group name must be "Administrators" and the Memebers has to include

Administrator - the local administrator
- Domain Admins
- Remote Administrator

This GPO policy is all-to-all change, not a incremental change, so you have to include every member in the group.