Keep generic accounts from consoleLocked
Our company is mandated by the Healthcare Insurance Portability and Accountability Act. Each domain account has to be held accountable.
What are some suggestions on how to extend accountability to a ?service account?? When I say ?service account? I mean a generic domain account with a password used by an application. We have implemented Active Directory and utilize group policy.
We are running into several issues with applications that require a generic local admin account with logon local rights. It wouldn?t be as major an issue if we could control the account from logging into the console locally. At least, via restricted groups, we could pinpoint the users that can log on locally to the server to install the application utilizing this account. The user could logon locally to the console and begin the installation and insert the account where prompted.
One solution proposed is this: If the app breaks at 3:00am, the user with local admin rights could install theapp and use their account for the service account until someone with the secure password could be available to type it in. Then the user name could be replaced with the service account name and password. That seems a nuisance for all parties. Is that my only option?