What’s the issue?
The local Administrators group on a Windows server grants its members full control over the operating system and everything running on it, including any SQL Server instance installed on the host.By default, SQL Server grants the local Administrators group sysadmin level access to the database engine through the BUILTINAdministrators login on older versions, and even when that login is removed, members of local Administrators retain the ability to assign themselves SQL Server permissions through several documented paths.
This finding identifies users and groups currently included in the local Administrators role on a server that hosts a SQL Server instance. The intent of the review is to confirm that only approved accounts have this level of access and to remove any that do not require it.
Why is this a problem?
Membership in the local Administrators group is the most powerful permission on a Windows server. Any account in this group can install software, change system configuration, modify or delete files (including SQL Server data and backup files), read or alter the registry, and execute arbitrary code at the operating system level.The implications for SQL Server are equally severe. A local administrator can start the SQL Server service in single user mode, which automatically grants any connecting account sysadmin privileges, providing a path to full database control even on instances configured with strict SQL Server level security. They can also read SQL Server data files directly from disk, access backups, modify service account credentials, and install drivers or hooks that intercept SQL Server activity.
Once an account has sysadmin privileges in SQL Server, the consequences are equally broad. A sysadmin can read, modify, or drop any object in any database, take and restore backups (including to external locations), alter the permissions of every other user on the instance, enable features such as xp_cmdshell to execute operating system commands, and create or modify SQL Server Agent jobs to run code under the service account context. Excessive membership in the local Administrators group also undermines audit and compliance posture. Most regulatory frameworks require that administrative access be granted on a least privilege basis and that membership in privileged groups be reviewed and justified. A local Administrators group with many members or with stale entries from former employees or retired projects creates audit findings and increases the blast radius of any compromised credential.
What should you do about this?
Enumerate the current members of the local Administrators group on each SQL Server host using net localgroup Administrators from an elevated command prompt, or through the Computer Management console under Local Users and Groups. Capture the membership and review each entry with the security team and the SQL Server owners. Confirm that every member belongs in the group based on a current, documented job role. Remove individual user accounts and replace them with appropriately scoped Active Directory groups so membership can be managed centrally and audited consistently. Service accounts that genuinely require local administrator rights should be documented with the reason, and most service accounts (including the SQL Server service account itself in modern installations) do not require this level of access.Remove the BUILTINAdministrators login from SQL Server if it is still present, using DROP LOGIN [BUILTINAdministrators];, and ensure that explicit, named Active Directory groups are granted the SQL Server permissions actually required, following least privilege principles. Replace broad sysadmin access with more granular fixed server roles where possible, such as dbcreator, securityadmin, or serveradmin, depending on the actual responsibilities of each role. Establish a regular review cadence for the local Administrators group, ideally quarterly, where membership is reconciled against current job roles and any unjustified entries are removed. Pair the review with a similar review of the SQL Server sysadmin fixed server role, since the two often overlap and both deserve the same scrutiny.
Document the approved members of the local Administrators group, the business justification for each, and the date of the most recent review, so the membership remains intentional and defensible during audits. Add monitoring or alerting for changes to the local Administrators group so unauthorized additions are detected promptly rather than discovered during the next review.