Shared accounts employ a single credential to authenticate multiple users. While this largely goes against IT security best practices, smaller organizations may still make use of shared admin passwords/accounts.
Shared admin accounts decrease the management overhead by reducing the privileged access footprints within your IT estate. However, they come along with risks that need to be carefully managed.
Since they are shared among many people across teams and departments, they need constant monitoring to ensure access is always restricted to the right set of people for the right reasons at any given point in time. Any lapses here could lead to unauthorized access as well as opening up vulnerabilities for the hackers to exploit.
Producing a clean audit trail is a challenge as the logs will only show the shared username. There is no direct way of tying up each action against the individuals. This could lead to accountability issues.
Shared accounts must be managed like any other highly privileged account, and must be used in combination with Unified PAM.
Just like any other privileged account, you need to enforce robust automated password management features to shared admin accounts as well. PAM's continuous monitoring and controlling features along with the audit logs helps you to stay on top of all your privileged activities done using a shared admin account.
The domain admin account is considered the most privileged account in the domain. It allows the owner of the DA (Domain Admin) to access any IT resource across the domain and has the most permissions and controls over the domain, AD or otherwise.
Shared domain accounts should be done with extreme caution and strong access controls, being granted only when needed.
Some best practices to secure domain admin accounts are:
Another approach is to use a tiered admin model: