Question: Is NT AUTHORITY\SYSTEM a sysadmin in your SQL Server and Why?

Hi Jonathan,

In my case, I never remove this accout from sysadmin role.

I found this Microsoft article: http://support.microsoft.com/kb/919023 saying explicitely that they don´t recommend doing so.

Regards,

José Santiago Oyervides.

I've been having the same discussion with our data centre, who build my servers and we've not really got too far in this respect to a definitive answer, however in my case they are running the cluster account under this account ( ! ) and I did discover that in this case the account requires permissions to execute select @@servername. I removed sysadmin rights and granted appropriate rights to make this call and my cluster works fine. On my standalone servers I have removed the permissions and everyhting works fine. The data centre is a managed service so they're not always very forthcoming - I did find they were running their sql monitoring using this account which required sysadmin - I encouraged them to use a proper account. I'd be very grateful for a clarification on this matter too.

sorry - my reference is "Pro SQL Server 2008 Failover Clustering" by Allan Hirt.

We have an application that requires SQLExpress to be installed on users' laptops.  NETWORK SERVICE worked well for us except 1)when we enabled FILESTREAM we just couldn't get it to work correctly.  The reasons are documented elsewhere on the web, can't find the links now. Of course LocalSystem isn't needed to overcome this specifically but 2)our users generate various SSPI errors in situations when SQLExpress runs as a domain acct or a local user acct and the machine is a domain member,undocked, and on one of our many flavors of VPN.  

Interesting question.  I just checked my servers and the account has access and is sysadmin.  I don't know why and I haven't changed it.  I'm on SQL Server 2005.  It is definitely something I need to look into.  What are the risks with leaving it as sysadmin?

i never removed the account as i didnt see a need to do so but i found this article

http://support.microsoft.com/kb/932881

The NT AUTHORITY\SYSTEM account

The NT AUTHORITY\SYSTEM account is also granted a SQL Server login. The NT AUTHORITY\SYSTEM account is provisioned in the SYSADMIN fixed server role. Do not delete this account or remove it from the SYSADMIN fixed server role. The NTAUTHORITY\SYSTEM account is used by Microsoft Update and by Microsoft SMS to apply service packs and hotfixes to a SQL Server 2005 installation. The NTAUTHORITY\SYSTEM account is also used by the SQL Writer Service.

our standard build scripts always remove this account from all our SQL Servers here at NYSE Euronext

Jonathan, http://support.microsoft.com/kb/932881 Here it says specifically what it is used for and it says not to remove it.  When you apply any patch it asks for credentials so i'm not sure why if the KB article says otherwise.  What is your take on this?  I was going to remove it until I read this article so now my question is "What are the risks if any of leaving this account as is?"

If SQL Agent service is using this account then it can have sysadmin privilege else we can drop or remove sysadmin role. In my environment SQL Services will be running under AD account so we will be removing it

I did try to remove the sysadmin for the account nt authority/system account and i could only see vss backup failing with login failed errors - it doesnt impact anything else *i think*