• Usually, AD group memberships is controlled without the need for confirmation from a DBA - for a very good reason, since the SBA should not be concerned about a member being added/dropped from an AD group.

    But that's exactly the reason why a the sysadmin priv should not be granted based on a AD group: the DBA team won't notice any change (at least not with additional effort and mostly as a reactive task, not a proactive).

    The argument, that a specific user account would add additional effort in case of leaving the company is rather weak: if the account is disabled at the AD level, how would a user be able to connect to SQL Server (except using a local Windows account that should have been detected before...).

    I, personally, advocate for user based sysadmin privs instead of group based. Just because of the harm that can be done.



    Lutz
    A pessimist is an optimist with experience.

    How to get fast answers to your question[/url]
    How to post performance related questions[/url]
    Links for Tally Table [/url] , Cross Tabs [/url] and Dynamic Cross Tabs [/url], Delimited Split Function[/url]