Assigning appropriate permissions for performing certain task always depends on the need. Most organizations implement these changes when required , rather designing them during domain creation. As AD engineer, you should always understand the Forest Structure, number of Domains and the operating systems on which the Domain Controllers are configured.
Most requirements comes after setting up the domain, like providing certain access to users / groups / OU etc. One of the common configuration I have seen is Desktop Administrators are configured as Domain Administrators which is NOT a recommended practice. This small step creates major problems, when desktop administrators tries to manipulate data.
Make sure you do not change “Deny logon locally” and Remote Desktop Users default behavior on Domain Controllers , which would allow desktop administrators to take control on DC.