I opened an AAA session a couple of weeks ago on this topic, I was told you have to do it with two sources to AD, one checks standard-user-OU and other checks admin-user-OU.
This only gets messy in my opinion, when there are shared entitlements e.g. normal-user-entitlement assigned to admin-user-account (though in a properly split environment where admin accounts do not get access to normal-user-resources this should not be a problem).