No LEA employee should be logging in daily with an account that is a local admin, domain admin, or has privileged access (for example: Domain Admin, Power User, etc).
Instead, LEA’s should create multiple accounts for employees that need elevated access. All employees should have a regular/base account with no admin rights for day-to-day work and a privileged account that is used only for administrative tasks.
On each workstation, change the default Administrator account name to a unique name. Although intruders can use certain utilities to identify renamed Administrator accounts, most security strategies still instruct you to change the accounts' default names. Some system administrators create dummy Administrator accounts with greatly limited access powers, then audit the accounts for activity.
Local Administrator Password Solution (LAPS) is becoming a popular tool to handle the local admin password on all computers.
LAPS is a Microsoft tool that provides management of local account passwords of domain-joined computers. It will set a unique password for every local administrator account and store it in Active Directory for easy access.
Change administrator account names on all network-attached devices that allow it
Use a unique password on each account. Then, if an intruder discovers a password, only one account will be compromised.
Use strong passwords that dictionary attacks can't defeat.
Password phrases are highly recommended.
Change passwords frequently if they are short passphrases do not need to be changed as often.
Carefully document new passwords. Nothing is more frustrating than having to break into your own server when its NIC fails, and the administrator account password you have on record doesn't work.
It is not recommended to use Chrome to store passwords
Be sure to verify that the password change operation was successful