So… I was at a customer working on various IT related items, as that is what I do. One of my tasks was to setup a backup job for a PC accounting application that was previously setup for testing data import. They now wanted to perform live import/export and wanted to make sure they had a backup before they started. I noticed the last user to login to the PC was the administrator. Not unusual as they may have needed other applications installed since I originally setup the PC. So I asked one of the people in the accounting department what username and password they use to logon to the PC. I heard a clerk yell over the cubicle the domain admin password. First words to come to mind were you’ve got to be kidding! Yes, it is true. One of the “admins” had given not only the accounting department, but MANY other users the domain admin password. I immediately went to the IT department and informed them of this issue, they seemed unconcerned until i explained to them that anyone using that username and password has FULL unrestricted access to ALL servers, payroll, HR, etc. They still were not as concerned as I was.

Needless to say, I immediately changed the password.