BUILTIN\Administrators in Sysadmin Role

Issue

Local administrators should not also be database administrators. These roles are very different and are typically performed by different people.

Solution

Remove BUILTIN\Administrators from the sysadmin role.

Note: There are special circumstances that require Administrators to belong to the Sysadmin role. These circumstances are outlined in the following Microsoft Knowledge Base articles:

SQL Server Agent Does Not Start and Displays Error 18456 (Q237604)
How to Prevent Windows NT Administrators from Administering a Clustered SQL Server (Q263712)
IsAlive Check Does Not Run Under the Context of the BUILTIN\Administrators Account (Q291255)
Microsoft Search Service May Cause 100% CPU Usage if BUILTIN\Administrators Login is Removed (Q295034)

Instructions

1. Click Start, point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager.
2. In SQL Server Enterprise Manager, double-click SQL Server Group, and then double-click the SQL Server that you want to secure.
3. Click the Security folder, click Server Roles, and then double-click System Administrators in the right pane.
4. In the Server Role Properties dialog box, click BUILTIN\Administrators, and then click Remove.

Additional Information

SQL Server 7.0 Security

Microsoft SQL Server 2000 Security

⌐ 2002 Microsoft Corporation. All rights reserved.