Seven Types of Privileged Accounts That Require Strong Security


In our last post, we explained the difference between privileged identity management (PIM) and privileged access management (PAM). PIM involves the identification of administrative accounts, which already exist on systems, and the association of individual users with those accounts. PAM secures privileged credentials and ensures they are used in accordance with established policy. We also defined the term “privileged,” which means that the holder of the credentials (human or machine) has the ability to take administrator-level action on a system.

Clango’s team of consultants and engineers can help identify gaps in your PIM policies and processes and prioritize your threat mitigation activities. When you’re ready to implement PAM, we can help you deploy CyberArk’s Core Privileged Access Security solution, including the Enterprise Password Vault, Privileged Session Manager, and Privileged Threat Analytics. We can also help you take advantage of Application Identity Manager to eliminate embedded credentials in software.

To lay the groundwork, let’s define the seven types of privileged accounts that are present in most environments:

  1. Domain administrator accounts give administrators virtually unfettered access to all resources on a network — domain controllers, servers, and workstations. This is the holy grail for hackers and therefore requires the highest levels of security.
  2. Emergency access accounts prevent administrators from being totally locked out of a system. These highly privileged accounts are not assigned to specific individuals and are only meant to be used when absolutely necessary.
  3. System accounts are created by operating systems when they are installed and allow a user to add users, change permissions, install software, and more. The “root” account in Unix or Linux is an example of a system account.
  4. Service accounts are used by applications and services, rather than human administrators, to run various processes and scheduled tasks. You can establish controls over the resources a service account is allowed to access.
  5. Application accounts enable applications to run cron jobs or scripts and to access databases and other applications. The credentials for application accounts are often embedded in the software in plain text.
  6. Local administrator accounts give administrator-level access to a local machine. They are used by IT staff to set up new workstations and perform maintenance. Individual users may also be given administrator privileges on their workstations.
  7. Privileged user accounts are any other type of account that gives a user privileges greater than a standard account.

Few organizations are aware of all the privileged accounts across their environment, so a critical first step in developing a PIM strategy is to identify them. A great way to do that is to run a CyberArk Discovery & Audit (DNA) scan. CyberArk DNA locates privileged credentials and provides executive and technical reports on potential risks.

The organizations we work with are often surprised at the number and variety of privileged accounts in their on-premises, DevOps, and cloud environments. Don’t be caught off guard. Let us help you secure these accounts and reduce the risk of a potentially devastating security breach.


For more information about PIM and CyberArk Discovery & Audit (DNA), please send us an email at (

Comments Closed.