The security model offered by Microsoft SQL Server is highly configurable and very robust when all security best practices are followed.
Why should you care about it?
The least-privileged user account (LUA) approach is an essential part of a defensive, in-depth strategy for countering security threats.
By the way, this check is a part of our SQL Server Health Check service.
LUA says that a user must be granted only those privileges, which are required to perform his task – nothing more, nothing less.
It is a best practice that can avoid many future issues like somebody rename or drop an object accidentally.
You can learn more about SQL Server database engine permissions in the Microsoft documentation.
How can I find users with elevated permissions in SQL Server?
SysAdmin users
Run the query below to list all the users with that are sysadmins or have GRANT CONTROL SERVER.
USE master
GO
SELECT DISTINCT p.name AS [loginname] ,
p.type ,
p.type_desc ,
p.is_disabled,
s.sysadmin,
CONVERT(VARCHAR(10),p.create_date ,101) AS [created],
CONVERT(VARCHAR(10),p.modify_date , 101) AS [update]
FROM sys.server_principals p
JOIN sys.syslogins s ON p.sid = s.sid
JOIN sys.server_permissions sp ON p.principal_id = sp.grantee_principal_id
WHERE p.type_desc IN ('SQL_LOGIN', 'WINDOWS_LOGIN', 'WINDOWS_GROUP')
-- Logins that are not process logins
AND p.name NOT LIKE '##%'
AND (s.sysadmin = 1 OR sp.permission_name = 'CONTROL SERVER')
ORDER BY p.name
Database owners
Run the query below to list all the users mapped to db_owner role.
exec sp_msForEachDb ' use [?]
select db_name() as [database_name], r.[name] as [role], p.[name] as [member] from
sys.database_role_members m
join
sys.database_principals r on m.role_principal_id = r.principal_id
join
sys.database_principals p on m.member_principal_id = p.principal_id
where
r.name = ''db_owner'''
How to reduce user permissions
Choose lower permission to the users listed if they don’t need to have these privileges.
Remove the user from the sysadmin server role when possible.
Use db_datareader and db_datawriter roles to give people the right to read and write to any table in the database.
Among several options, you can edit roles for an existing user using SQL Server Management Studio:
- Firstly, go into Security, Logins, and right-click on a login
- In the User Mapping tab, remove (uncheck) the login from the roles for each database – Make sure the users got some kind of access to do their queries.

More information
Microsoft – Getting Started with Database Engine Permissions
Microsoft – Server and Database Roles in SQL Server