Best Practices for Privileged Account Creation


Is any of the below approaches better and more secure than the other for RDP sessions?

1) Configuring a personal privileged account for each administrator (ex: tom-admin), and adding the account to the assets local admin group. Then configuring a policy in Safeguard allowing the administrator to login using his normal account (ex: tom) to request the privileged session configured with his personal admin account.

2) Configuring a common admin account (ex: pam-admin) and administrators should login to PAM using their admin accounts (ex: tom-admin,  john-admin..) and requesting the privileged session configured with the common admin account on the asset?

In both cases MFA is configured and the account password is changed after check-in.


  • Hello,

    Both options are valid but it would be dependent on other settings such as "Allow simultaneous access" for example. If simultaneous access by different users is required and if individual accountability is also required then it may makes more sense to go with option #1 by having each admin use their own managed privileged admin account rather than a shared admin account. However, if simultaneous access is not required (each user will have access at a time) then option #2 would work as well as only one user can have access to the shared admin account at one point in time.