So, what is the difference between these two system admins? Well, to start with, sa is the SQL Server database administator and, as such, has access too all databases, including non-Dynamics databases, on the SQL Server instance. Instead dynsa should be used as it is the GP database administrator and only has access to the GP databases.
While sa is needed for initial system instllation and configuration, and for some third party add-on administration, it should not be used for day-to-day administration of Dynamics GP. As dynsa is a database owner it can be used for most security and maintenance tasks within GP and, like sa, is granted the Poweruser role automatically.
I have to admit, this is more “do as I say, than as I do” because we have been slightly lax in getting this message out to clients. This is something I fully intend to put right this year as I travel around client sites doing upgrades to Microsoft Dynamics GP 2010; in some cases this may lead to entertaining discussions with various Heads of Finance or Directors of Finance or Resources. However, I think in all cases the clinching argument is that using dynsa instead of sa minimises the possibility of tampering with non-GP databases should the password be accidentally leaked.