If I understand it correctly, then the user that is logging in is a domain user, right? Now, if the 'Domain Users' group is part of the local 'Administrators' group, then a new employee will automatically receive the local administrator rights on the computer as long as he's a member of the 'Domain Users' group. When the employee leaves, just delete/disable the account and you're done.
Now, whether you have only one user in the admin group while he's logged in or the domain users group as a fixed adminstrator group doesn't really matter since you are creating the same low security and a knowledgeable user will circumvent it anyway within minutes.
however, if you still want ot do it the dynamic way, then you will need to utilize either SU.EXE or the Task Scheduler in combination with an encrypted and/or compressed/executabled script to hide the password. There are a couple of examples posted on this BBS.
_________________________
There are two types of vessels, submarines and targets.
