From a posting back in October – I believe the wisdom came from jrubinstein:
“There are a number of separate bits here.
Allowing a group to install software is partly a gpo user rights assignment issue, but you are right that you also want to make them local administrators. On our network this is done through a batch script run at logon with the line
net localgroup Administrators domain\group /add
I’m sure there are better ways to do this but although this is clunky it works.
Finally giving them the rights and tools to add computers is done through AD users and computers by right-clicking the OU (or domain) and choosing delegate control. The wizard takes you through the whole process and produces a console which you can distribute to your users. Take care with the options on the console to make sure they can’t open it in “author” mode which might allow them to extend their powers but otherwise I’ve found this method an excellent one for all kinds of delegation.”