Using GPOADmin, you can be very granular with who is allowed to do what with a particular Group Policy. Much like Active Roles, GPOAdmin allows you to grant specific rights to your Administrators and make the changes through a service account. Thus greatly reducing the need to grant the rights natively.
Finally, we have secured Active Directory literally from the inside out. Obviously this is just a very high level introduction, but it's important to know that Quest Software sells the tools and can help you secure your Active Directory environment to significantly reduce your risk of a data breach. Please reach out to your Account Manager to schedule a more in depth discussion and a demonstration.