Is this true that Members of the local computer administrator group can always elevate their privileges to sysadmin.
I am confused because the local administrator group is not automatically added to the sql security post 2008. And so they cannot login into the SQL server instance.
Yes, a user with Local Administrator level access can do literally anything they want to the system.
Take a look at this question-and-answer that explains how to add a user to the sysadmin SQL Server role when no current sysadmin is available.
You have to bear in mind that a user with local administrator rights can literally do anything they want, including for example, attaching a debugger to sqlservr.exe process and modifying code or memory directly. They could also take ownership of the master database file and modify it with a hex editor.
You cannot lock them out, because there are many ways for them to elevate to SYSTEM rights, at which point they can do anything they want anyway.
For example, one of the methods on the excellent post linked by @StephenMorris uses impersonation. An administrator can impersonate any user, so they could act as the MSSQLSERVER user.
am confused because the local administrator group is not automatically added to the sql security post 2008. And so they cannot login into the SQL server instance.
Adding to the correct technical answers, the Windows Admin owns the server. And so while we don't want Windows Admins connecting to the SQL instance as a privileged user (or at all) by default, the Windows Admin must always be able to "take ownership" of the instance and the data.
By analogy a home may have locks on bedroom or bathroom doors, but these aren't intended to permanently deny access to the homeowner. Only to prevent accidental or casual access.
