Limit SQL Server admin permissions for domain accounts
What is the best practice for using domain accounts such as those with domain admin permissions for SQL Server service accounts?
The SQL Server should never be run under an account with domain admin permissions. Always grant the Windows account that the SQL Server runs under the minimal rights it needs in order to function. The lowest set of permissions that Microsoft SQL Server needs to run are the "Log on as a service," "Log on as a batch job," and if running Enterprise Edition the "Lock pages in memory" rights.
Many people will give the SQL Server local administrative rights to the server. The SQL Server account should never be given domain admin rights as this poses an unacceptable security risk to the Windows domain.
This was first published in August 2007