BUILTIN\Administrators in Sysadmin Role

Issue

Local Windows administrators should not also be SQL database administrators. These roles are very different and are typically performed by different people.

Solution

Remove BUILTIN\Administrators from the sysadmin role.

Note: There are special circumstances that require Administrators to belong to the Sysadmin role. These circumstances are outlined in the following Microsoft Knowledge Base articles:

SQL Server Agent Does Not Start and Displays Error 18456 (Q237604)
How to Prevent Windows NT Administrators from Administering a Clustered SQL Server (Q263712)
IsAlive Check Does Not Run Under the Context of the BUILTIN\Administrators Account (Q291255)
Microsoft Search Service May Cause 100% CPU Usage if BUILTIN\Administrators Login is Removed (Q295034)

Important:  If you are running Small Business Server and remove all local administrators you will no longer be able to manage your SQL server locally.

  1. Make sure that <domain name>\Administrator belongs to the sysadmin role.
  2. Remove BUILTIN\Administrators from the sysadmin role.

Instructions

  1. Click Start, point to Programs, point to Microsoft SQL Server, and then click Enterprise Manager.
  2. In SQL Server Enterprise Manager, double-click SQL Server Group, and then double-click the SQL Server that you want to secure.
  3. Click the Security folder, click Server Roles, and then double-click System Administrators in the right pane.
  4. In the Server Role Properties dialog box, click BUILTIN\Administrators, and then click Remove.

Additional Information

SQL Server 7.0 Security

Microsoft SQL Server 2000 Security

© 2002 Microsoft Corporation. All rights reserved.