We have three servers, one running Small Business Server 2003, and two running Server 2003 Standard SP2 (one for files, CRM, and as an additional DC, the other for web development and a few other things.
We want to be able to grant certain users admin access to pretty much everything on the two Server 2003 machines, and some programs (e.g. DNS server) on the SBS machine, without giving them access to administer the domain.
The brief from management is that we want to make sure that these users will not have access to certain files on the servers - and of course if they have admin rights it's possible for them to reset permissions.
I'm not sure about the best way to go about this - I've had a go at something similar in the past but it just ends up with the users not being able to do what they need to do!