Windows

The short answer is yes. Win2K (and AD) is much more granular in the level of control you can delegate. This is one of the primary reasons OUs exist in Win2K. What you would do is create new administrator groups for each OU and through the Delegation of Control Wizard, specify exactly what permissions you want to assign.

Yes, there is. My first piece of advice is to plan, plan, plan! There are several ways to define security and control. Policy settings and permissions can be defined at the site or domain levels or trees and can use inheritance of permissions andyou can explicitly assign permissions.
The easiest way is to use Delegation of Control Wizard to:
*Delegate permissions to change properties on a particular container
*Delegate permissions to create and delete objects of a specific type under an OU (like users, computers, groups, printers)
*Delegate permissions to update specific properties on objects of a specific type under an OU (like setting passwords)
In Active Directory Users and Computers there is a Delegation of Control Wizard which steps you through the process of granting granular rights. Once you have migrated your PDC and created your Organizational Units, you can drill down to the site, domain org. unit or container for which you want to grant control. Right-click on it and choose "Delegation Wizard".

The thing to remember is to plan and ask a lot of 'what if..." type questions before proceeding with a delegation plan.

Actually, I think there is no way to accomplish this. The moment you give people control over a physical Domain Controller box and give them rights to install system software, you might as well make them Domain Administrators. Thinks about it, they can install (hidden) malicious services while performing the Service Pack update...
In my opinion, you need to tightly control your Domain Controllers as well as the people that manage them. Most software installations can be scripted and distributed using some tool like Microsoft Systems Management Server. This way you don't need to provide people with the ability to install system software. If you also control physical access to these Domain Controllers, you should be fine.
The other option is to create multiple forests or expand your Domain Administrators team.

This question was closed by the author