I've created two more groups in the WolfTech AD, "ISO_SHS-Server-Admins" and "OIT_SHS-Server-OnCall".

I've populated ISO_SHS-Server-Admins and set a group policy so that any servers installed under the OU=OIT_SHS,OU=Computers container will have this group in the local Administrators' group.

I haven't set any rights for OIT_SHS-Server-OnCall, as we need to work out what permissions one would need to do our combined on-call rotation.  Certainly "Reboot", "Start/Stop Services", and "Interactive Login."  The oral plan has been to limit rights by the "principal of least privilege" and one doesn't need every possible right to a server in order to be the first responder for it.