Caveat: You really don't want your users to be "Administrators" on their PCs. You want to find a method to automate the distribution of software (see Mass installation on networked Windows computers? amongst other Server Fault answers) in lieu of allowing users to install the software themselves. (There are a variety of reasons why you don't really want this-- exposing the company to liability for unlicensed software, being able to install malicious software, and just plain screwing-up their computers are a few good ones.)
Having said that, Restricted Groups functionality in Group Policy is what you're looking for. It'll automate the group nesting on an arbitrary number of computers.
Instead of creating a nightmare for yourself later (not to mention a political situation where you can't ever take back the users' "Administrator" rights) I'd recommend you think strongly about learning how to centrally deploy software first.
Edit:
My answer re: managing updates for Adobe Reader is the same answer I'd give to you re: managing updates for the JRE and other "necessary evil" software like it. I'd develop a coordinated process of installing the software with Group Policy and updating it by deploying new packages when patches are released.
I don't find a specific Windows Vista or newer related article, but I think this would count as canonical documentation: How to change a computer name, join a domain, and add a computer description in Windows XP or in Windows Server 2003. This documentation indicates that you can modify the computer name and domain at the same time (and doesn't caution against it).
I suspect you're dealing with someone who has the same superstition that I've had over the years: Change the computer name, reboot, then join the domain.
I know that I've seen instances where doing that has ended up with a broken domain trust relationship on the client computer. I never documented the specific workflow necessary to create that undesirable scenario. My pragmatic streak kicked-in and just caused me to rename, reboot, and then join. For fun, I may try to do some replication in a VM.
Edit:
I had a few minutes for some VM testing fun.
I two really simple tests on a Windows XP Professional SP3 VM, starting fresh from a template configured in a workgroup.
Changed computer name and domain together, provided domain credential, received dialog indicating that domain join succeeded, rebooted, and found that I had a good domain trust relationship.
Joined domain, provided domain credential, received dialog indicating that domain join succeeded, clicked "Change" button in "System Properties" dialog again, changed computer name, provided domain credential, rebooted, and found that I had a good domain trust relationship.
Obviously there are possible permutations if you bring in dodgy DC replication into play, changing the domain trust relationship with a command-line tool like netdom, and probably a whole host of other factors that could influence. In general, though, it looks like Windows XP (and likely every follow-on Windows version) can handle the change to both the computer name and the domain trust relationship together without a reboot between.
I'll probably still reboot between, personally.
Best Answer
Go into your Domain Security Policy>Local Policy>User Rights Assignment and change the "Add workstations to domain" to just the groups you want.