I started off on a task to minimize the logins on our Sql server servers. So the first step was to move toward everyone into ad groups and then grant those groups access, we really do not want to have individuals needing access. No problem. So I pull a list of logins from and I see that I have some domain\server$ accounts, I suspect IIS,RS, ASP.NET. I have the nt network account, the builtin\admins account, the nt system account and three groups created by Sql Server. The builtin admins I can remove no issue. The nt system account I can remove no problem. I like using groups for the sql server services, not sure if I like sql server creating them on the server. Now it seems like I should not have to have both the nt network account and the domain\server$ accounts and I'm not sure where the domain\server$ accounts are really coming from. Here are my questions
1: Where are the domain\server$ accounts really coming from?
2: How can I control those accounts so that they are either a specified group etc?
3: Why does the process that created the domain\server$ accounts not use the nt network account?
4: If the domain\server$ accounts are coming from IIS\RS\ASP.NET then what's left that might need the NT Network account?