Not to be TOO rough but, if that is the case where any user can have Admin by logging on, why just create one domain account called "user" and give the account the password "password". I think what you suggest is problemmatic. You are right back to to the "domain admin" group level of access that you did not want to grant.
Are your computers shared? Do most of your computers have a single user? How many account? How many computers? What about "Power Users"?
