Hello - We're running SQL 2005 Ent. We use mixed mode authentication. When SQL was installed it automatically created the SQL login BUILTIN\Administrators and added it to the sysadmin role.
Assuming we have assigned any other privileges or used this login for anything ... is there any reason I should not delete it?
I ask because we're going through an audit and they specifically stated the following:
Please confirm that the BUILTIN\Administrators login has been removed and replaced with a Windows group specifically created for database administrators.
Removing the BUILTIN/Administrators group to prevent local server administrators from accessing SQL Serve is a good idea. Ensure you've tested all apps first - and other processes such as backups, in a lower environment. In SQL Server 2008 BUILTIN\Administrators is not automatically added
You may also want to check with your Active Directory group prior to removal, we began removing the account on 50 legacy servers to find out they had added admin accounts for Citrix, LANDesk, Symantec, Qualys to this group to limit there work not realizing that it really is a SQL Server group account.
Before removing the group - just remove the sysadmin rights. Make sure you have setup another account with sysadmin rights before doing this, because if you are getting sysadmin rights through that group and either remove the group or syadmin rights you could lock yourself out of the system.
After a few weeks/months without sysadmin rights - you can then remove the group.
BUILTIN\Administrators
Posted - 06/22/2012 : 17:08:19
