When installing SQL Server, you get to specify SQL Server administrators, i.e., the list of users initially in the sysadmin role. By default, this list contains the current user.
(Image quoted from https://msdn.microsoft.com/en-us/library/dd578652.aspx.)
This default value strikes me as odd. Wouldn't BUILTIN\Administrators be a more sensible choice than the current user? After all, isn't the whole point of Windows authentication not having to manage two separate user/group directories? And local administrators can gain sysadmin rights anyway, if they want to, so it's not really a security feature either.
On the other hand, SQL Server was written by people much smarter than I am, so there might actually be a very good reason for this default value. What is it?
Best Answer
You're right: system administrators can gain sysadmin access, but you will find entries in the default trace for that action. Moreover, it requires restarting the service at least twice, which would hardly go unnoticed.
Not granting sysadmin privileges to BUILTIN\Administrators is a change introduced in SQL Server 2008. In my opinion it's a good idea: it allows the separation of duties between server administrators and SQL Server administrators.
The main undesired effect of having BUILTIN\Administrators in your sysadmin role is the loss of control, which can manifest with one or more of the following annoying things:
Long story short, windows admins have a different skill set and a different mindset, not to mention different responsibilities: letting them manage your SQL Server instances is not a good idea.
My suggestion is to create a windows group for your DBAs and add that group to the sysadmin role upon each new SQL Server installation.