Set up admin groups like antivirus_rw, freepbx_rw, register these groups in your services as admin groups and assign groups to the right employees.

That's right - use a separate or separate accounts for system administrators and in no case add any additional rights to the accounts under which they log in to their computers.
How many such additional accounts there will be depends on tasks, infrastructure, levels, etc.

How many accounts should an administrator have?

One administrator must have one account. Which is a member of a bunch of groups, and each of the groups gives the minimum necessary set of rights to perform a well-defined function / work.
If the administrator needs a second account to work with two accounts at the same time, or an account with some limited rights, he simply creates such an account, limiting its validity to the required period of time, or, if one already exists, unblocks it for the required period and if necessary, corrects the set of its rights by inclusion in the necessary groups or exclusion from unnecessary groups.

It is very good when different levels of admin privileges have different accounts and their rights do not overlap (at the highest level of administration). If one is compromised, the rest remain. If the administrator goes everywhere with one account, then one day he will merge it somewhere.
To users - yes, allocate local administrators. And I would also recommend that local admins close the network login to workstations. Otherwise, one day you will catch a worm that will infect the entire network from one admin.
1C, antivirus, etc. - this is definitely a user and his account, but internal inter-server affairs, for example, between 1C and SQL servers - there is a separate one, maybe even not connected with the domain. And in general one should dance in such products from their specific safety recommendations. Often, an admin account is not required for the interaction of different services when it is correctly configured.
In general, put yourself in the place of an attacker who bought on the network a database of your organization's accounts compromised by phishing and trojans, ransomware and exploits against antiviruses. Just imagine that he can now enter remotely, and when he enters, he will use another tool - the brain. He will look around and do everything right, so that later you burn out and there was no other way out, how to pay a ransom.
Think in terms of this paradigm. The strengths and weaknesses of your decisions in the light of this approach are immediately much clearer. The real goals and objectives are immediately visible ...
Well, in the end - AD provides any desired degree of abstraction of rights. Somewhere it is necessary to register users by name in access, and somewhere to use several nested groups.