Beware of restricted groups. It will replace rather than add to the
membership of the local administrators group.
Here's the way I do it.
First, I create a group, called "Workstation Admins" on the domain. I place
all the
workstations I want managed this way into their own OU. Then, I apply a GPO
to that OU containing a computer startup script that runs the following
line:
net localgroup administrators "mydomain\Workstation Admins" /add
Enter the "net" as the command and the rest as the parameter.
When these machines next boot, they will have the Workstation Admins group
in their local administrators group. Just place your administrative
accounts in this group and you're sorted.
The first thing to be wary of is that if a machine is removed from the OU,
nothing changes. Members of Workstation Admins will still be administrators
of the box.
The second is something that may not be obvious. You want to prevent these
people being domain admins. If they're smart, they will be domain admins
quite soon anyway. If you or other domain admins ever log into PCs that
untrusted people are local administrators or power users of, then you need
to be careful. This is common sense, but something that so many people
overlook.
Hope this helps
Oli