You currently do this in Workgroup Manager, using the 'Privileges' tab. It works the way you want it to work, but I don't know of a way of doing it in Profile Manager.
An app accessing LDAP could be coded to do this for you, too. Could well be implemented as a web app via authenticated https, or something that's installed on the instructors' iOS (or OS X or Windows or Linux...) devices and connects to the domain from there. If your kids are old enough, corral a few of your more code-savvy ones and hand them this project. (They'd probably have a blast learning how to do this, too.)
Thanks for the information. Looking at my 10.7 Lion servers, I see what you are referencing in Workgroup Manager. However, on my testbed 10.8 Mountain Lion server, I'm only getting Full and None as options for administrative levels. Has the Limited option and subsequant suboptions been dropped in 10.8 or did I either incorrectly import my user list or setup the OD in some fashion?
Can anyone confirm that they have Limited as an admin priviledge level on a 10.8 server?
Well thank you for being so polite. Yes, on looking on my 10.8 server, I have the same thing. How annoying. I have no idea how to answer your question. If the management abilities are no longer in Workgroup Manager then there's a change that the server doesn't pay any attention to the settings, so manually changing settings in LDAP won't have any effect either.
At least I can verify that it's not just you who gets that result. I wonder what happened and how we're meant to do this now.