To the comment below about measuring security... Usually this comes from putting security theater over pragmatism. Everything is so granular it's impossible to figure out what people need so you fuck around with it for a day and then give up and just give em local admin because actual work needs to be done. You can't get away from the fact that work requires write access. All those groups and policies are meaningless when the rubber hits the road. In the end you just have to hire people who can be trusted to do the right thing and not burn the house down.