Query on NT AUTHORITY\SYSTEM access

Question

My client recently implemented Splunk to check on the logs for our application. He discovered that there's one error that keeps popping out on a daily basis, for all the existing DBs (primary, config, model), at every 15minutes interval.

'NT AUTHORITY\SYSTEM” is not able to access the database xxx under the current security content'

We know about the context of this error and the fix. But my client would like to know the following instead:

Why is NT Authority\System accessing the DBs at every 15 minutes interval, and for what purpose?
Can this be changed somewhere?

Answer 1

First of all please DO NOT raise multiple threads for same question. The probability of getting answer depends upon how much clearly you have written your question and how much information you have provided.

'NT AUTHORITY\SYSTEM” is not able to access the database xxx under the current security content'

This is because NT Authority system does not have right to access the database. If you would add the rights may be add it into DB_DATAREADER role the issue might get resolved. If that requires sysadmin on database you may need to add that as sysadmin, although this is not a good option security wise.

Why is NT Authority\System accessing the DBs at every 15 minutes interval, and for what purpose?
Can this be changed somewhere?

You need to use profiler or EX trace to find out what application is trying to access your database every 15 mins. My hunch is this may be splunk. In that case you need to ask splunk team about this behavior. You may also have allowed splunk to use system account and this system account does not have access to SQL Server database and hence this message is coming.

Answer 2

Hi @GQ ,

Check reply from this case: nt-authoritysystem-account.html

Is there a job scheduled running every 15 minutes?
Or check your keepalive value in your SSCM?

BR,
Mia

---

If the answer is helpful, please click "Accept Answer" and upvote it.