Hello @Omid Shojaee
Restricted groups are one clean option in defining permissions granted through membership in machine local security groups.Domain members should be managed by the domain.
Desktop Administrators as a group with local administrative permissions on client workstations. Use your Restricted Groups policy to add the Desktop Administrators and Domain Admins to the local Administrators group on however many workstation containers you have. Ideally your support staff (and yourself) don't use privileged accounts for normal desktop work - give everyone a separate account for desktop support that has membership in your Desktop Administrators group.
For more details reference:
User Account Control: Admin Approval Mode for the Built-in Administrator account
Active Directory Accounts
Hope this helps with your query!
--If the reply is helpful, please Upvote and Accept as answer--