This is an old discussion. It may still be relevant. Has anyone ever attempted to map the permissions required to create the ACL's and so on for these security groups? I've inherited one that has them removed. I suspect it will be easier to remove the installations instance by instance and reinstall them but if there is an easy way to add the security groups back in (SQLServerDTSUser$, SQLServerMSSQLUser$, SQLServerAgetUser$ in particular), please share.

I believe these are correct but it would be nice to have some verification (SQL 2012)

Integration Services

Default instance or a named instance: SQLServerDTSUser $ ComputerName

The service capacity Login (SeServiceLogonRight,)

Write access to the application event log.

Bypass traverse checking (SeChangeNotifyPrivilege)

Authentication Impersonate a client after (SeImpersonatePrivilege)

SQL Server Agent 3

Default instance: SQLServerSQLAgentUser $ ComputerName $ MSSQLSERVER

Named instance: SQLServerSQLAgentUser $ ComputerName $ InstanceName

The service capacity Login (SeServiceLogonRight,)

As a batch job the Login (SeBatchLogonRight)

Replace a process level token (SeAssignPrimaryTokenPrivilege)

Bypass traverse checking (SeChangeNotifyPrivilege)

Adjust memory quotas (SeIncreaseQuotaPrivilege)

SQL Server

Default instance: SQLServerMSSQLUser $ ComputerName $ MSSQLSERVER

Named instance: SQLServerMSSQLUser $ ComputerName $ InstanceName

Service capacity login (SeServiceLogonRight)

As a batch job the Login (SeBatchLogonRight)

Replace a process level token (SeAssignPrimaryTokenPrivilege)

Bypass traverse checking (SeChangeNotifyPrivilege)

Adjust memory quotas (SeIncreaseQuotaPrivilege)

Permission to start SQL Server Active Directory Helper

Start SQL Writer's permission

Permission to read the event log service

Permission to read the Remote Procedure Call service

SOURCE http://www.databasesql.info/article/124980796/