Shared passwords, especially shared VNC password remind me of the straw house from the three little pigs...
In addition to the previous post on having the Domain Users group in the Enterprise Admins group (FTW!) on my last trip the organization had decided to use VNC for workstation management instead of Dameware/Remote Desktop.
Why? I have no idea. At least with RDP and Dameware you can force admins to use domain credentials to log in. But for whatever reason they had chose to use VNC on their workstations, servers used RDP. The VNC sessions were password protected
Well they had some sort of video feed linked to a webpage so people could watch the feeds from a single webpage. A simple right click on the feed properties showed an un-obfuscated VNC password (even had a check box that could have starred it out...oops). Surely the VNC properties for the feeds wouldn't be the same VNC for the workstations right? Wrong, they were. Game over. We could now log into all the workstations. We were already Enterprise Admin and could psexec into the workstations but screen shots of watching people read their email just look so much better during the outbrief :-)