I asked this on twitter and now I am going to ask it on here to see what kind of responses I get. If your SQL Server services run under a domain user account, is NT AUTHORITY\SYSTEM (Local System) a sysadmin in your SQL Server and if so, why?
I was prompted to ask this question while configuring a server early today and after installing SQL Server 2008 on Windows Server 2008 R2, I noticed that despite being installed from default using a Domain Account for the Services, the Local System account was still a sysadmin in SQL Server. In the past I have removed this account from my servers, and I did so today, but the thought crossed my mind, “What might I be breaking by doing this?”
Here is what I don’t want.
- I don’t want responses that can’t be backed up with documentation or proof of the need. I am trying to find out the hard facts about why this account would have been left as a sysadmin in a fresh install of SQL Server and guessing just won’t cut it for this.
- I don’t want stories about why SQL can be run as Local System, that’s not the point of this post or the question being asked.
What I do want:
- Documented cases where Local System is needed. For example K Brian Kelley(Blog/Twitter) offered that Full Text in 2000 required Local System to be a sysadmin in SQL Server 2000 if BuiltIn\Administrators had been removed from SQL Server.
- Changes required if the Local System is removed.
- Anything else pertinent to this account existing in SQL Server 2008.