Probably so many people thought the answer is obvious they never considered they could pass it on.
Our setup is simple, each Visitor can create their own account, and once they have done that, they cannot actually do anything else until they are given the enrollment key to the course they are trying to get to. (The only exception to this is new staff, the Admins enter their initial details, and assign them the Staff Role, and they can re-edit their id to whatever they want. Btw, the Staff Role is only the Authenticated User Role with permissions to see a couple of hidden folders we use for Staff materials.)
Using enrolment keys mean only that people who have the key are the ones that can enter - obviously.
IM(NS)HO the guest login should only be permitted on demonstration courses, and should never be allowed for any other course.
Once all students who have been permitted entry the enrollment key is changed. Even if a Student knew the old key, they should not know the new one. Anyone who is enrolled that is not supposed to be there is kicked out the course with a strongly worded email, or suspension/deletion from the Moodle. An Admin can suspend accounts - preferable to deletion.
Herein lies the key to a small admin role, once the key is changed, you can concentrate on the delivery of the course or mentoring or even actual teaching of the materials, suit yourself.
Issues: New Students are added into courses by the Teacher, actually cuts down Admin time. Other Staff can only be permitted into a course if they are delivering the same course, OR if the Teacher permits them entry. Admins DO NOT grant teachers access to any course any time without prior request from an Assistant Principal or above. (Some people get a little precious about "their" courses so this is always a contentious issue.) ONE Teacher per course, everyone else is a Non-editing Teacher - which really annoys some people, but it also means course editing is seriously scrutinized by peers.