Active Directory

Distribution of access rights for administrators of different levels?

Hello!
Either I searched badly or there is really little information. How to organize access rights for different access levels for administrators? How to give rights in such a way that a person does not have the right to enter a certain machine, for example, DC, that is, sometimes in my case it is easier to make a ban on a separate source, and on other stations / servers it is possible. Further, when a person passes a certain period, then the question is that, for example, everything on the same DC can be a DHCP and DNS administrator, otherwise an ordinary user. That is, the issue is not only in the permission / ban format for the station / resource, but also more flexible rights in snap-ins and settings for other admins.
I saw approximately that it is possible to give rights to OU, it is configured on the DC itself, I understand. But the question is what schemes are you using? How technically and not in words to organize it?
It is understandable that a new employee needs to be given out everything in parts, but often on the Internet I see that they give out very often either all or nothing in their offices, based on trust. Although, as for me, this is due to incompetence, like mine, with the only difference being that I am trying to change this in myself.
If a person has already been accepted, then here, too, I believe that he should have exactly as many rights as necessary to fulfill his official duties.