Have a policy and procedure for creating new users and groups.
Questions to ask:
Who gets accounts on which machines?
Who decides this?
Who is actually authorized to create the accounts?
Are accounts local to a system/location, or global
(to the organization)?
Are all accounts centrally managed, or can local SAs administer local accounts
(and with what policies)?
Are the policies and procedures different for local versus global accounts?
What is the procedure to request a new account (or disable or remove an account)?
When do accounts expire?
How are account names chosen (the naming policy)?
What is the password policy (who can change them,
when do they expire, what is the required strength)?
How many accounts may a single user request at one time?
May accounts be shared? (Answer: no)
How much disk space does a user get?
What happens if they exceed their quotas?
What email access is available (web mail, IMAP, POP, SMTP, ...)?
What printer access is provided (how many pages, to which printers,
and at which time of the day)?
From which workstation(s) may the account be used?
Is remote access provided for this user?
Is accounting to be used for this user?
If so, how much capacity can be used and for what?
What additional access does the user require?
(To which additional groups should the user be added?)
Note additional access may require additional configuration:
database access, administration access, physical access to machines,
Kerberos (Samba) access, NFS access, email access,
protected website access, FTP access,
remote (dialup/VPN) access, Internet access, other server access, etc.