DBAs have multiple accounts: Regular accounts are in a security group that has SA rights on the servers in that domain. Each DBA has a service account in each domain. This is the only account that can be used to remotely log into a server.
SQL has a service account in each domain. All sql servers on that domain use the same account. PW is changed every 60 days. Each domain has a different password.
SA logins are different on all servers. The DBAs use sa to log into servers on other domains than their root account.
Passwords are stored in KeePass[/url], with a medium-strength password that by now we have all memorized.
When anyone with a service account leaves, all sql service account passwords are changed. If a DBA leaves, all SA passwords are also changed.
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes