Hi experts,
Well, the auditors don't like that MSSQL services run under a domain account which is also a member of the local administrators group. I have always added the domain account to the Admin group so I don't know what might happen
when the service account is not a server administrator.
Does anyone have any experience and insight into this?
Thanks.
The auditors are right that the account should not be a member of the local administrators group. If you were to have a fresh server, you would install SQL Server and specify an account that doesn't have admin rights for the services. The installer would setup all of the needed permissions in the file system and in the registry. But you have an existing SQL Server, and it's not so easy to remove the admin privilege. There are a ton of permissions needed. Maybe the auditors have a doc you can reference to fix the permissions?