A runbook is executed with the Orchestrator Runbook Service service account. In most scenarios that are not an issue. But in some scenarios you need a runbook to run with a specific account, and all other runbooks run with the default service account. This can be done with an extra Runbook Server that uses another Runbook Service service account, or per activity or it can be solved at design level in the runbook by using the Invoke Runbook activity. To configure a runbook to run with a specific account, please see this post.
Specifying an account on each activity requires a lot of administration. If you need to specify the same account on multiple activities it is recommended to use variables. Variables minimize the risk of incorrect input and also make updates much easier. In Orchestrator 2012 you can configure a variable to be encrypted. If you store a password in a variable it will not be shown or stored in clear text, instead it will be encrypted.
If you want to see all activities in your Orchestrator environment that is not using the default service account you can run the following query
SELECT OBJECTS.Name AS Activity, OBJECTS.ASC_Username, POLICIES.Name AS Runbook, OBJECTTYPES.Name AS [Activity Type]
FROM OBJECTS INNER JOIN
POLICIES ON OBJECTS.ParentID = POLICIES.UniqueID INNER JOIN
OBJECTTYPES ON OBJECTS.ObjectType = OBJECTTYPES.UniqueID
WHERE (OBJECTS.Deleted = ‘0’) AND (OBJECTS.ASC_UseServiceSecurity = 0)