Instead of having code on the local computer that has to autologon with admin rights and or run with impersonation, what about trying a different approach.
Join all new computers into a special temporary OU and assign a GPO "Startup" (not logon) script to the OU. IIRC, "Startup" scripts run in the local system security context. Do all the things you need to do from there and as the last step, move it to the designated OU.
Another approach may be to split the tasks between a "Startup" script and a central admin script that watches the special OU and takes care of domain admin related stuff.
Just a thought...
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
