By default, all NT administrators of the domain that your SQL Server is installed in, have SA rights in every database.
This presents interesting challenge for DBAs, political and technical. Does your NT administrator group need SA rights to every database? The answer is no.
Let me take a moment to contradict and clarify the statement I just made. Although the NT group "Administrators" does not need SA rights, the people inside that group may need SA rights.
The better way to lock down your SQL Server versus the default would be to create a second user group and assign any users that need SA rights into it.
By doing this, you give only the NT administrators that need SA access the rights as well as create a universal SA group to audit.
The first step before you do this would be to remove the current administrators group from your
SQL Server. You can do this by expanding the Security group and selecting Logins. Then, delete the
BULTIN\Administrators login in the right pane.
Now, create a new NT group and reverse the steps. Generally there is no need to give your network administrators SA rights, but if there is a need, do so through this technique.