Restricted groups is the answer, but the process is not obvious.
Search this newsgroup or Microsoft's Knowledgebase for adding local
administrators through Group Policy. In a nutshell, you'll group the
target machines in an Organization Unit and add a security group to
that OU containing the intended local administrators. Then, on a
member server or workstation with the Admin Tools installed, you'll go
to Retricted Groups and add administrators, and then add that new
local admin security group to the administrators. A lot of steps in
two different locations, but it works.