This seems to take on two separate issues - control of their local computer and access control. As such I'll give my thoughts in that format.

Local Computer - I lean towards role-based rights. Unless you're someone who needs to have specialized software for your job (mostly developers) then you don't get permission to install anything. There's no reason for it and it's a huge security hole. I've seen departments buy software and expense it then expect IT to support whatever they did and can't produce the licenses.

Access - Give the minimum needed to perform the job. Use AD groups to control .. groups of people. If an individual can't handle creating indexes that's a performance/management issue, not one to be addressed with access control. It makes things much easier from an administrative side (add new employee to X groups) and keeps things consistent.

I guess it boils down to letting them get their work done and keeping things under control.