We have created a global role with entitlements and members as well. Some of the role entitlements are AD groups. The role members are usually system administrators who have normal and admin account as well in AD. When the role changes were applied a new CR was started. In the CR also normal and admin accounts were added to every groups (see picture below).
I would like to achieve that only the normal accounts were added to the AD groups. In other cases the requestor is asked to choose between accounts if a user has multiple. That would be the expected behavior in this case as well. Is there any best practice for this use-case?
So far everyone I've seen uses either options 1 or 2. I agree with you that option 3 is the ideal scenario, but is not really possible in reality.
You should be able to easily build an Account changes approval workflow which auto-rejects Role-related account changes for admin accounts. Perhaps call it from an initial sub-process node in the Roles Request workflow? You only need to be careful that hardcoding something like this in your workflow will make impossible to perform these actions even if you really intend to (if you really do want to add/remove authorizations to/from admin accounts using Roles).