Agreed, however current mainstream Operating Systems such as Microsoft Windows just are not up to the task of such finely grained administrative level access. This is largely due to the legacy where Windows evolved from a stand alone system where the single user had full administrative access to everything. Legacy practices and configuration continue from this base and it would take a rewrite from scratch to fix this and in general good security is built in from the start, it cannot be usefully and reliably retrospectively patched on top.

It's not helped that I still deal with idiot developers who think adding a hard coded account into a system for administrative purposes is a good thing, or whose solutions to application security "problems" is to either disable security or to insist that the application can only be run with administrative level access to a system or database.