Administration is neccessary. In the end, there will always be someone who is allowed to do everything. Reviewing 20 years and more of administration, there are still customers using the one and only administrator. The password is as old as the installation itself. The password is known by too many people, that it sounds like a good joke to call it a secret.
We need to reduce the permissions and attack surface of a single account/password combination to a minimum.
Level 1:
Administrators starts to seperate their accounts. They are creating personal administrative Accounts for each employee in the team. The „Administrator“ is only used in single specific actions.
This still generates Acounts close to „godmode“. One Account that is allowed to do everything, everywhere, but now it can be logged, who is to blame. The attackable surface and the vector to be hacked is huge. If one of these passwords is compromised, lost, public, shared, whatever, you loose your whole system.
Level 2:
Personal administrative Accounts are split into seperate accounts by action / task / level. There is no longer one master key password for a person. There is now some kind of keyring. No matter if you create tiers like Clients -> Server -> Domain Controllers, or define administration by sites or buildings, departments, give it a name. You still loose one big part of your company if one of these passwords gets lost.
Level 3:
12beAdmin. Reduce your tiers, scope of administration to the smallest possible item. Having a 1 to 1 relationship of AdminAccount to System, we have a really big bunch of keys, but If we loose one password, we only loose one system.
We increase the security by reducing the time, where the account is valid and additionally generating a new password everytime the individual account will be used. Knowledge of a password is now a attack vector for a short period of time and the inherited account is only Administrator on a single System.