...
If available, the account and password should be stored in the University Controlled Password Manager. (Should we put specific password requirements on these accounts?)
(Can a user have two admin accounts..i.e. user moves department.. new a_ would help to remove questions about what access lingers from the old job)
...
Service accounts are accounts that are designated for use for a particular service or application and have elevated privileges. A service account will be created for each function for a particular service or application, and should only be used for that purpose. The account should abide by the rules of least privilege as described by NIST. These accounts will be created and maintained in the OU Admin in Active Directory and can only be acted on by Domain Admins. In 389 these accounts are to be stored in the OU People or OU Special and can only be acted on by System Administrators.
...
Event access accounts will not be granted administrative privileges to any system and should not be used to authenticate services or applications to Active Directory or LDAP 389.