wat
I thought I posted a reply. Well, here it is again.
Add users to a group. Give that group "Deny" permissions for logging into servers.
Possibly use "Delegate Control" function.
http://windowsitpro.com/active-direc...ed-permissions
At my work we just manually grant local administrator permissions to specific users on their usual computers and we do all the join/remove from domain operations. (Actually, any local admin can remove from domain, even without any domain admin privilege.)