a user is a user so to speak.
Creating a "backdoor account" though is really bad security practice - you should be assigning administrators to the machines (using their personal account etc). And, creating backdoor accounts with non-changing passwords, even more trouble.
shared backdoor admin accounts break all the rules of auditability etc.
While I do agree with you, we've had cases in the past where that account was our only means of accessing a laptop to resynch a password token.
We are using individual admin accounts that each of our helpdesk personnel have. They are logging in with those accounts when needed.
We had a shared account once before, but occasionally, the password would change and lead to much confusion.
I feel more comfortable having a failsafe since it's been useful to us in the past as I stated above. Only two of us know the password to this account.
That doesn't make it any better, I realize, but.........
Any EPO admin can always do a recovery on a machine - you don't need a user account on the machine itself, and even if it's been deleted from EPO it can be decrypted....