baxterr (5/18/2012)
Generally, I do my best to never let a SQL login have any sort of elevated privs on a database let alone the server. We still have one program (Microsoft Dynamics GP, can I get a security nightmare amen anyone?) that require administrators to use [sa] for some tasks. This absolutely kills me, but it is what it is.
I dealt with GP years ago. Through some SQL traces and calls with GP support, we determined that the app needs sa for new logins and potentially new databases. However if those are setup by a DBA, the app picks them up. We removed sysadmin from the app logins and they would call us when they needed a new login added.