I am mostly writing this here so I can find it again in the future, because I have to do this again every few years... But if this helps others - or if you know why this will break in the future - let me know.
Create a new policy, go into Files and Processes, and in Execute Command put this:
/usr/sbin/dseditgroup -o edit -a MyAdminGroupName -t group admin
(Reminder: put your group name where MyAdminGroupName is)
Maybe this will help Active Directory users too?
