How often should you use a non-privileged account per AR 25-2?

Answer 1

The best answer is probably to flip the question around to ask when it is acceptable to NOT use a non-privileged account.

A non-privileged account should always be used except when it is absolutely necessary (and authorized) to use the permissions assigned to a privileged account. Only those acting as system administrators or system auditors should ever have privileged accounts and they should only use those accounts when the actions they are performing required the elevated privileges assigned to the privileged account. They should be assigned and use non-privileged accounts for all other actions.

Section 3-3 a.(13) states that privileged users must:

(13) Maintain and use at least 2 separate accounts for access to network resources, 1 for their privileged level access and a separate general user, non-privileged level account for routine procedures.

Section 4.5 c. states:

c. Access control. IA personnel will implement system and device access controls using the principle of least privilege (POLP) via automated or manual means to actively protect the IS from compromise, unauthorized use or access, and manipulation.

One consequence of this is that they are required to always implement non-privileged accounts except where elevated privileges are required.