Can i have a 'limited Administrator' for the purposes of unlocking workstations?

Solution 1:

As already explained, you do not need a domain admin to 'unlock' a computer, the user is only required to be a local administrator.

The best solution i think here is to automatically log out users that are idle for a certain period.
EDIT:

It's not a straight forward GPO and requires a bit of a kludge with modifying the windows screensaver. Here's what you do:

  1. Download the Windows Server 2003 Resource Kit Tools
  2. Copy the Winexit.scr out of the resource kit to the %systemroot%\system32 directory on each workstation
  3. Create a user GPO with the following settings: alt text http://img34.yfrog.com/img34/6015/mwsnap53020091124100617.jpg
- for screensaver executable name use:winexit.scr
- for screen saver time-out specify how log the idle time should be before logging out. This is in seconds.

Solution 2:

Adding the Domain accounts for your other tech assistants to the local Admins group on each PC should be all that's required.

Beware of unlocking though, as it will force the logged-on account to log off, close all their files, and potentially lose unsaved work. User education is really the only way.