Justifying generic accounts is going to be an issue in any audit, before you walk into the room, have a list of all the “principles”, that is users or groups. You will be expected to explain each one, and typically asked to search the logon events to see if they were used.
Some of the questions that will be asked
- What is the process for account creation and deletion?
- Is the password changed regularly, or after each use?
- Where is the password stored, is there a record when it has been used?
- If you are claiming it is a service account, do you have documentation to justify?
Before the audit run the scripts in the previous post “vCenter user roles, and assigned permissions”, and start reducing your accounts, create a documented change ticket to remove permissions or delete. These accounts could show up in the logon events, so be ready to explain and provide a ticket number.