i cannot for the life of me understand why you would give anyone local admin rights(installing can eb done through GPO and automated), if they need software installed just setup a install script using WMIC commands in a batch file. If they ring and ask for software to be deploy, it literally takes one line of txt (The machien name) in a batch file to trigger the install.
That is the bigegst No No of administering any network. If you need a hand deploying software then DesktopCenteral can be installed for free upto 50 nodes and it has predefiend installations for common software.
Anyway create a GPO for the OU groups and assign the following
ComputerConfig\Preferances\Control panel Settings\Services.
Now disable the following services when the computer starts.
Function Discovery Resource Publication,
UPnP Device Host
An example of installing say Pidgin across any branch running from a replicated software DFSR
set /p target=What is the name of the Target computer:
ECHO Copying over Pidgin to %target%'s C:\ drive
XCOPY /e /q /y "\\someUNCorFQDN\pidgin.exe" "\\%target%\C$"
ECHO Now installing Pidgin
wmic /node:%target% process call create "\\%target%\C$\pidgin.exe /DS=1 /SMS=1 /S"
ping -n 60 127.0.0.1 > %TMP%\NULL
ECHO Cleaning up files........................
This will only take the time it takes to enter the machine name mate. I wouldnt have room on this page to describe why you dont give the end users admin rights and like old mate above said, file permissions wont matter when you give admin rights to a standard user because a simple token kidnap is all thats needed to get admin rights to the whole domain.