We have a group (separate from IT) that sets up all CAD images, updates, etc., which are then pushed to each offices' server. Once there, IT remotes into each CAD machine at that office, and installs the image from our home server.
Deployment customization is completely left to a select few in each region, for each discipline. We're responsible for all regional updates, changes to client standards, enterprise updates, etc..
In order to safeguard user's customizations, (at least here in my region) we build into our deployments a support structure on the user's personal network space, which included a 'custom' CUI(x) which allows for IT to install any updates, without impacting much (if any) of the user's setup, nor our 'enterprise' support structure which is stored in a read-only location on the network (except for laptop users like myself).
For laptop user's IT still manages all core updates (from Autodesk, etc.), and I push the enterprise files to the local disk, and my customizations (also on local disk) are pushed to my personal network space. All network files are backed up nightly.
There's more to it than that, but this should be a good summary.