Keeping the admins rooted...
For example, being local admins, these users can remove the default local administrators (domain admins, OU admins, etc.) defined in the SOE and practically make their computers inaccessible to these groups. This could easily be circumvented via a domain-level (or OU-level) startup script which, running under system privileges, can do virtually anything (like net localgroup administrators MyDomain\MyAccount /add, for example). However, this was a no-no as far as the AD team is concerned.
My next suggestion was to create a service (btw, I love doing this on my test PC with instsrv and srvany to automate a lot of stuff, like opening up a cmd shell with root rights --- yes, i always login as non-root!) but this too was rebuffed.
In the end, I had to use an existing service account which runs on all clients (somewhat similar to an SMS agent, if you are familiar with MS SMS). I use this to execute the following script:
Const conForReading = 1
Const HKEY_LOCAL_MACHINE = &H80000002
Const strDomain = "MyDomain"
Set objNetwork = CreateObject("WScript.Network")
Set WSHNetwork = WScript.CreateObject("WScript.Network")
Set oFS = Wscript.CreateObject("Scripting.FileSystemObject")
Set oInputFile = oFS.OpenTextFile(file1, conForReading)
strComputer = objNetwork.ComputerName
On Error Resume Next
While oInputFile.AtEndOfStream <> True
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")
The script reads a text file containing a list of the default local admins and adds them to the local administrators group when the user logs in. It ignores any error returned.