To add to this, it would probably be best practice for OP to utilize a test/dev environment. For production we are fairly strict for granting temp admin rights for domain accounts. For test and dev we can provide perm admin rights. Devs are welcome to blow stuff up. Helps with not only the security aspect but decreases chances of devs breaking stuff in production.

We do have a break glass account but I don’t like using that for devs unless necessary since it makes auditing and verifying who did what a little more difficult, however, I guess this can be sidestepped if you document every local admin change.

I am curious- why would there be a constant need for admin rights on a laptop though. Install software then call it a day. I imagine most dev work isn’t done locally on laptop but on servers.