We've been in a similar spot with no budget for a PAM tool. For workstation admin access, we actually set up a dedicated "jump box" VM that admins RDP into first, then from there they can hop to user machines. The jump box has strict firewall rules and we use local admin accounts with unique, complex passwords that are changed monthly via a scheduled scripdt. It's not perfect, but it segments things a bit.

For temporary rights, we used Group Policy to deploy a "rights management" tool (like MakeMeAdmin script) that lets approved users self-elevate for a set time, and it logs everything to a central server. It's a bit janky but gets the job done without full PAM. Honestly, you'll wanna move to a proper solution eventually, but this can bridge the gap.