Something has been bugging me recently. I am seeing allot of customers taking the "easy" option when it comes to delegating out permissions for their various tiers of support staff to support their environment e.g. making everyone remotely associated with the support of their Environment Domain Administrators. This really is definitely not Microsoft recommended best practice. Our recommended option is to go for a delegated model, giving your Support staff what they "need" to do their job, reducing attack vectors, and not exposing your environment to unnecessary risks. Therefore I thoroughly recommend the following downloadable document.
This is a great document detailing the planning and execution of a delegated Administrative model, which minimizes the risk to your Active Directory but allows your Admin Staff to do their day to day job. .....therefore.....good bedtime reading with the cocoa. :)