Hi,
We have a service account created that is given administration rights in CRM. The password for this service id is stored in CyberArc password vault.(http://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/)
When an administrator has to use this account (User management is done by the help desk - with a copied system administrator role into a new role and their account has only administrative license), the is an approval cycle needed before the temporary password
is checked out of cyber arc, this password expires after a predetermined time. This account is our fail safe against deactivating all system administrators or when the user with system administrator is not available at a point of time.
We also have enabled auditing on system user.so any BU/team/security role change is audited.
Best practice for any password is to set expire after 90 days and enforce policies for complexity and to prevent recycling of passwords.
HTH,
Jithesh.K