Out-of-the-box system administrator account best practices

Patrick Tipps · ‎05-30-2025

Hi all,

I'm seeking information regarding the system administrator user record that's created by default when setting up an instance. I want to confirm some information in case I am wrong.

My manager wants to know:

1. What's the password complexity settings for the system administrator account?

My answer: resetting the system administrator account (for a production instance) is done via Now Support. It's not handled locally like other local accounts. He's mostly worried about security around local accounts.

2. Can we lock out the system administrator account and give the ability to enable the account to a specific group?

My answer: no. Many processes rely on the system administrator account and if it's locked out it may cause some processes to fail. The only way that someone could reactivate the system administrator account is by using Now Support, so that's not possible as well.

3. Can we delete x amount of inactive user records?

My answer: It's against best practices to delete user accounts because of referential data. It will be difficult to audit history data if information is missing.

I'm sure I have more questions but this is a good start. Please let me know if I mistaken about anything.

Dr Atul G- LNG · ‎05-31-2025

Hii @Patrick Tipps

My manager wants to know:

1. What's the password complexity settings for the system administrator account?

My answer: resetting the system administrator account (for a production instance) is done via Now Support. It's not handled locally like other local accounts. He's mostly worried about security around local accounts.

Atul: For the local account, you can build a strong password policy with a minimum of 12 characters, including a combination of digits, symbols, etc.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1122424

2. Can we lock out the system administrator account and give the ability to enable the account to a specific group?

My answer: no. Many processes rely on the system administrator account and if it's locked out it may cause some processes to fail. The only way that someone could reactivate the system administrator account is by using Now Support, so that's not possible as well.

Atul: You are correct—the out-of-the-box admin account has some hidden capabilities that even a local user or other admins don’t have. So, I think you’re right.

3. Can we delete x amount of inactive user records?

My answer: It's against best practices to delete user accounts because of referential data. It will be difficult to audit history data if information is missing.

Atul: Deletion is never preferred, especially when dealing with foundational data. User records are foundational data, and if you delete that data, you will lose the links between that user and other records. It’s better to keep the data inactive rather than delete it.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

View solution in original post

Dr Atul G- LNG · ‎05-31-2025

Hii @Patrick Tipps

My manager wants to know:

1. What's the password complexity settings for the system administrator account?

My answer: resetting the system administrator account (for a production instance) is done via Now Support. It's not handled locally like other local accounts. He's mostly worried about security around local accounts.

Atul: For the local account, you can build a strong password policy with a minimum of 12 characters, including a combination of digits, symbols, etc.

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1122424

2. Can we lock out the system administrator account and give the ability to enable the account to a specific group?

My answer: no. Many processes rely on the system administrator account and if it's locked out it may cause some processes to fail. The only way that someone could reactivate the system administrator account is by using Now Support, so that's not possible as well.

Atul: You are correct—the out-of-the-box admin account has some hidden capabilities that even a local user or other admins don’t have. So, I think you’re right.

3. Can we delete x amount of inactive user records?

My answer: It's against best practices to delete user accounts because of referential data. It will be difficult to audit history data if information is missing.

Atul: Deletion is never preferred, especially when dealing with foundational data. User records are foundational data, and if you delete that data, you will lose the links between that user and other records. It’s better to keep the data inactive rather than delete it.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************