Suppose you have two groups, "Workstation admins" and "Server admins", neither of which is in "Domain admins", hence they don't have control over Active Directory; neither of them has admin rights on any domain controller, and neither of which has admin privileges on the other group's machines.
If a workstation admin ever logs into a server, or vice versa, then that group can potentially gain the others' passwords. This is because, with local admin rights, you can take control of a machine remotely and use the other users' permission to do whatever your want.
hey zooligan - you wouldn't happen to be in Atlanta would you?
another way... i'm not gonna go into details is to install a script/batch to run at startup which will automatically add an user into to domain admin group given that it is run while authorised person is logged in.