...
All users who have elevated access to a system or service will have a secondary account used solely for tasks that require greater administrative access. These accounts will be created and maintained in the OU Admin in Active Directory and can only be acted on by Domain Admins. In 389 these accounts are stored in the OU People Special and access is restricted to System Admins.
...
Service accounts are accounts that are designated for use for a particular service or application and have elevated privileges. A service account will be created for each function for a particular service or application, and should only be used for that purpose. The account should abide by the rules of least privilege as described by NIST. These accounts will be created and maintained in the OU Admin in Active Directory and can only be acted on by Domain Admins. In 389 these accounts are to be stored in the OU PeopleSpecial and can only be acted on by System Administrators.
Service accounts will be created and follow the naming conventions as established in the Privileged Access Standard.
...