Who is NT AUTHORITY\SYSTEM?

Who is NT AUTHORITY\SYSTEM?

NT AUTHORITY\SYSTEM is the Local System account — a built-in Windows identity. The Windows Server Failover Clustering service (ClusSvc.exe) runs under this identity by default. This means when WSFC (via hadrres.dll) connects to SQL Server, it authenticates as NT AUTHORITY\SYSTEM using Windows Authentication.

Why does WSFC need to log into SQL Server?

Because health monitoring requires actually querying SQL Server internals. WSFC can’t just check if the SQL Server process is running — that’s not enough. It needs to know:

  • Is the AG synchronized?
  • Are there any critical errors?
  • Is the instance responding to queries?

All of that requires a real SQL connection with real permissions.

The Three Grants assigned by default

SELECT 
    pr.name                AS principal_name,
    pr.type_desc           AS principal_type,
    pe.permission_name,
    pe.state_desc          AS grant_state,
    pe.class_desc          AS permission_class
FROM sys.server_permissions pe
JOIN sys.server_principals pr
    ON pe.grantee_principal_id = pr.principal_id
WHERE pr.name = 'NT AUTHORITY\SYSTEM'
ORDER BY pe.permission_name;


-- Grant 1: ALTER ANY AVAILABILITY GROUP
GRANT ALTER ANY AVAILABILITY GROUP TO [NT AUTHORITY\SYSTEM];

This allows WSFC (via the SYSTEM account) to change the state of AGs — for example, changing a replica’s role from secondary to primary during failover. Without this, WSFC could detect a failure but couldn’t actually execute the promotion.

-- Grant 2: CONNECT SQL
GRANT CONNECT SQL TO [NT AUTHORITY\SYSTEM];

This is the basic right to log in to the SQL Server instance at all. Without CONNECT SQL, the Windows login exists but can’t establish a session. It’s the gatekeeper permission.

-- Grant 3: VIEW SERVER STATE
GRANT VIEW SERVER STATE TO [NT AUTHORITY\SYSTEM];

This allows reading Dynamic Management Views (DMVs) like:

  • sys.dm_hadr_availability_replica_states — synchronization state
  • sys.dm_os_ring_buffers — error events
  • sys.dm_exec_requests — active queries

sp_server_diagnostics internally queries many of these DMVs, so this permission is essential for the health check to return meaningful data.

Why not just grant sysadmin?

This is the principle of least privilege in action. sysadmin would work, but it would also allow WSFC to read any data, modify any configuration, drop any database, etc. The three specific grants give WSFC exactly what it needs and nothing more. If the SYSTEM account were ever misused or compromised at the OS level, the blast radius on SQL Server is limited.

Caution: Your use of any information or materials on this website is entirely at your own risk. It is provided for educational purposes only. It has been tested internally, however, we do not guarantee that it will work for you. Ensure that you run it in your test environment before using.

Thank you,
Rajasekhar Amudala
Email: br8dba@gmail.com
Linkedin: https://www.linkedin.com/in/rajasekhar-amudala/