I think Microsoft made Great Plains use the SA by design not by default. GP goes into SQLServer as SA and does all kinds of "System Administrator" kind if stuff when setting up users and customizing the application. Its a real pain as the DBA to work with this because the Director of Finance wantes to know the SA password and as a result her consultants also got hold of it. Kind of a security nightmare! I'm now using ADP and it used its own SYSADM login to do "System Administrator" kind of stuff. So SA is safe again.

A quick note on ADP: It was setup by ADP consultants before I got here. They did the SQL server install too. And they left the SA password Blank!