Administrator accounts have tremendous power. Beyond server and domain administrators, we must consider service accounts, workstation local administrators, and network appliance administrator accounts. A full, accurate, and current inventory of these accounts, who has access to them, and that they match the roles enabled is critical. Auditing and logging are essential. Avoiding generic administrator accounts is crucial. Implementing control over administrator accounts must have management support but can create a political firestorm. Use groups to assign privileges and audit these delegations regularly. Engage change management before making elevated account changes. Used incorrectly or maliciously, administrator accounts can have catastrophic consequences.