I just began migrating SQL Servers (2000) to Windows 2003 from Windows 2000 a few months ago. In the past, I never had to add the start up account to the local administrators group. Now that we are moving to Windows 2003, I had to start adding the start up account to the local administrators to avoid getting the "RegCreateKeyEx() returned error 5,'Access is denied'" error when modifying settings.
It just became an issue for me in the last couple of days, because I have two instances on the same box that really need to be locked down tight. I must keep the start up account from one instance from accessing the data and backup files of the other instance. The instances belong to two different departments, with their own IS staff. While I trust the members of both departments, I have to make sure that it is impossible for them to get to each other's data. So, I really need to keep the start up accounts out of local admins.
To solve the problem, I printed out MS 283811 http://support.microsoft.com/default.aspx?scid=KB;EN-US;283811 and began to verify all of the permissions and rights. I only found one setting "Lock pages in memory" that was incorrect, but it seemed to me that something in the registry was the real problem.
So, I found out today that the start up account also needs full control on the following registry keys and their children in addition to the rights mentioned in the KB article.
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MSSQLSERVER
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SQLSERVERAGENT
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MSDTC