• I agree with Joie that an AD group mapped to windows authentication on the instances is the best way to go for this. This about it - if the other sysadmin leaves the company you now need to remove that from 50-100 servers. While this is easy to do with Powershell or something like that, you need to have the access setup before hand for this to work. If you are using AD groups then you just remove him from the group once, and it effects all 50-100 instances.

    The one MAJOR issue I have with AD groups is how they are managed. If you have a good company, the AD group should have an owner, and only that person should be able to request someone be added to the group. If your company allows people who do not fully understand what the group is used for to add users to any group, this could be a problem. I actively monitor our DBA group and any other sensitive to make sure no one gets added without us knowing.

    - Tony Sweet