You know when we add a computer as member in a domain, by default ?domain admins group? will add to the ?local administrator group? of the computer, my boss asked me if we can change this policy where we create a new security group in the domain and add some IT staff as members in this group, and enforce the new computers which will be add to the domain to add this group to their local administrator group automatically instead of adding domain admin group.