Windows 2003 Domain. Best way to assign permisions to technical support
If they're going to need to troubleshoot workstations, they'll indeed need local Administrator rights.
Your approach is right: use a domain group (but it has to be domain global if you want to nest it inside anythyng else), and put user accounts into it; it's best to not assign permissions to specific user accounts, groups exist exactly for this purpose.
About adding the group to the local Administrators group on each workstation: plase don't do that by hand :-)
Use either a simple machine startup script with the command net localgroup Administrators /add DOMAIN\YourGroup
, or the Restricted Groups group policy setting.
Create a "Workstation Admin" Domain Local scoped group. Put all workstations in a common OU hierarchy or same OU. Link a GPO with a restricted groups setting for the admin group to include Workstation Admin only. Now, next any logical groups of personnel into that group who should have this access. You likely would want "Support" and "Domain Admins" nested in that group.