I think "granular permissions" are a great theoretical solution, but don't always exist. I can't count how many times I've had to give a user admin access because the developers of one program or another wouldn't say what specific access was needed; they'd just say "they must be an administrator" . . . . . . .
I think when it comes down to it, full admin access does sometimes have to be given, but it should be monitored closely. Don't be surprised when you go to that computer and see the firewall disabled, a torrenting program installed, etc.
Regarding passwords, I think that's a little easier so long as you can convince management. There is no reason someone should ever share their password with anyone ever. If the person isn't around, then reset their password and give it to their manager in a sealed envelope or something.