Recommended Strategy for Managed Accounts

1. Local Device Accounts

• Built-in Accounts (Root/Administrator/SYS, etc.)
  • Disable directly
  • Once onboarded to RankEZ, only Infra or Security teams can use it, and usage requires approval
• Standard Local Accounts
  • sa_user / db_user: Onboarded to RankEZ, usage requires approval
• Emergency Local Accounts
  • sa_emgcy / db_emgcy: Onboarded to RankEZ, no approval required, for emergency use; email notifications are sent when used
• Backup / Escape Accounts
  • sa_bak / db_bak: Used to reset passwords of other accounts; not directly accessible by users
  • Passwords are rotated periodically and split between A and B
  • Domain-joined machines: Create sa_bak / db_bak in the domain and add them to local admin group
  • Standalone machines: Create high-privilege sa_bak / db_bak locally, and deploy PTA and EPM on critical servers

2. Domain Accounts (Optional)

• Standard Domain Accounts
  • sa_domainuser: Onboarded to RankEZ, usage requires approval
  • sa_domainemgcy: Onboarded to RankEZ, no approval required, for emergency use; email notifications are sent when used
• Domain Backup / Escape Accounts
  • sa_domainBak: High-privilege account used only to reset other standard domain accounts; not directly accessible by users
  • Passwords rotated periodically and split between A and B
  • DC administrator accounts are not recommended to be onboarded to RankEZ; should be reserved as domain escape accounts

The above is only a recommended approach; the specific account model and configuration should be confirmed by engineers and the customer during deployment.