On Thu, 2011-01-20 at 11:05 +0000, John Hodrien wrote: > An account is a personal account that should not be shared. +1 Also, at least in the United States, locking a PC / workstation after 15 minutes of idle is a requirement of PCI/DSS - which your company almost certainly agreed to if you process credit card or other payment information. HIPPA, FERPA, and friends have similar requirements / strong-recommendations. Ask a competent lawyer and he'll/she'll tell you to lock unattended workstations. This has nothing to do with auditing the access to or usage of data - that is a separate issue.