This is how to add a AD group in SQL Server through a New Query window:
CREATE LOGIN [AD_group_name] FROM WINDOWS WITH DEFAULT_DATABASE=[user_database]
PS. The users log onto their workstation as aUser but have admin accounts to access the databases, say adminUser. I can't see anywhere in the SQL Server Management Studio logon where you can specify a different active directory user to logon as?
You can explicitly say when you see this user, change credentials to this user. Whichever account they open SSMS with is the account they work under. There is an EXECUTE AS statement that can be used but that is within T-SQL code.
The right plan depends on how many users we are talking about. A small amount you could just restrict each account individually. A large number of users, you could probably create an AD group like SQL_AdminLockdown, and then add that group to SQL and deny the major Admin permissions to that group that you don't want any user to be able to do. Like
DENY EXECUTE on sp_detach_db FROM SQL_AdminLockDown
A lot of securing the server has to do with ignorance of the user. If they know how to do advanced things in SQL then they can probably figure out how to get around things. I would get your plan down on how much you actually can lock it down, without interfering with users, and then take that to management. If they want you to support it when something breaks, some rules have to be put in place on what a user can and cannot do. Then the users need to know the ramifications if those boundaries are crossed.
I would also look at creating server-side traces. This will allow you to monitor everything the user/group is doing on the server. This can be used as your backup document for disputes;-). User says "I did not do that, so-and-so did". Your response "Oh yeah, well according to this trace file your user account executed these commands against this database at this time.".