NT SERVICE\MSSQLSERVER and NT SERVICE\SQLSERVERAGENT are both showing in server Security Logins. Do they need to be there when the local services SQL Server and SQL ServerAgent are under different service accounts?
In theory, you should be able to remove it without things breaking as long as the services are running under a different account. That would help to reduce the attack surface of the instance. Note: I've actually never tried this so if you do, reply back here with the results. Hope that helps!
At first, I was hesitant to try but thanks for the encouragement. Both service accounts were deleted from logins. But the domain service accounts have to be configured as follows for it to work: - server role = sysadmin - in msdb, database roles=SQLAgentOperatorRule; SQLAgentReaderRule,SQLAgentUserRule If you're not comfortable assigning sysadmin, try setting up proxy. This I haven't tried yet. Thanks, John,