We have an internal application only accessible via our private network that from time to time the local police authority require access to for safeguarding issues/investigations etc, which they are entitled to access. Due to the size of the police force, and number of officers who could request access - setting them up with an AD account each isn't really practical. As well the requests for access can be urgent and the SLA with our helpdesk requires 48 hours minimum for a new AD account, so that isn't always going to be practical either. The workaround was to create a generic AD account for them and disable it when not in use.
From a security/auditing perspective, our plan was to keep a separate audit log of when the generic AD account logged in, which police officer used it, times of login/logout, records they requested access to. Can you think of anything else from an AD perspective we would need to do to ensure the login is restricted to only allow them to access this application? Or anything else you would add in the audit log's/process? Obviously the AD account would need to be very limited, anything in particular that you'd suggest around the account itself from a security best practice?