We help IT Professionals succeed at work.

Question about generic accounts

isaacr25
isaacr25 asked
on
I have a theoretical question concerning best practice for usage of generic accounts (regardless of whether its network accounts, application accounts etc).

We're trying to limit the number of generic accounts that are being created and used. But we're trying to find the right balance also. So, should we try to "re-use" the same generic account for as many reasonable purposes as possible?

In other words, should we try to use the same generic account for different functions within the same application (assuming of course that the permissions are appropriate etc)?

Thanks in advance.
Comment
Watch Question

CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
I have never created 'generic' accounts of any kind and am curious of the reasoning behind it.

In any situation you need to know exactly who accessed a system and when they did it.

With generic accounts you lose that accountability - and possibly the ability to trouble-shoot any number of problems that might develop.

"Best Practice" is to not have any.

Author

Commented:
I understand that it's best practice, but as of right now not having any generic accounts is not feasible. Maybe I should clarify a bit... My original question also pertains to accounts like testing accounts and service accounts for different applications etc.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006
Commented:
OK - now I have a better understanding.
In our "Admin" group of users, we used to create specific accounts such as "exchADMIN" (MS Exchange), "epoADMIN" (McAfee ePO), etc. Each of those accounts had the express permissions described by the application they were managing.

If that is what you're talking about, then I would suggest having one for each function that is necessary.

The actual "Domain Administrator" account was never used (extremely complex password locked in a safe) and all members of the Admin Group had separate accounts for doing their Admin work.

In most things I go for "simple is better", but for SysAdmin work I always went for granularity - as it was the only way to track down who had done what...and when.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.