We were just testing if we would be able to deny connection of Domain Administrators who are part of local administrators group on SQL Server. In SQL Server 2005 atleast the BuiltinAdministrators is principal created in SQL Server. When we run below statement Deny Connect SQL to [BuiltinAdministrators] it says executed successfully but they are still able to connect to SQL Server using their logins. Is it something obvious missing. To test, create a local windows account and add that local windows account to BuiltinAdministrators group. Connect to SQL Server and deny connect to BuiltinAdministrators. Use RunAs and open SSMS with new account it still connects.