On the AD side of the house you can use delegation; you can also extend the delegation control wizard
http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.htmlQuest (active roles) and NetIQ (DRA) also make good third party tools to help with delegation and rights
In terms of Tier II and Tier III to have full reign to troubleshoot hardware and software means they will have to be able to install software and even shutdown boxes for hardware installs. You an use restricted groups to define admins on various machines
http://www.frickelsoft.net/blog/?p=13I think the main difference is what I'd give tier II and Tier III access too (i.e. admin rights on critical servers). Actually help desk usually only gets admin rights to workstations where I have worked....never to servers.
Thanks
Mike