IS there any Risk if i remove the BUILTIN\Administrators from my SharePoint on-premises 2013's “Farm Administrators” group

Question

I realized that inside the SharePoint On-Premises 2013 Central Administration, the "BUILTIN\Administrators" is being added inside the "Farm Administrators" group + 2 service accounts as follow:-

now I do understand that the 2 service accounts should be Farm Admins, but do we need the "BUILTIN\Administrators"? as in our case the "BUILTIN\Administrators" contain some domain admin users which should not be accessing the SP CA?? in our case the "BUILTIN\Administrators" group contain these users/groups:-

and the SharePoint services are either using the "Local Account" OR a service account as follow:-

second question. now if I access any site collection using the service accounts, I will get full control on them. but if I access any site collection using a user who is defined insdie "BUILTIN\Administrators", then this user will not have any permsion on the site collection by default. so what is the scenario behind this behavioure. can I say that by default Farm Admin users will not have any permsion of the site collections, unless they are defined as managed accounts ??

third question. now let say for now , I remove the "BUILTIN\Administrators" from the "Farm Admin" group, and later on i realized that this caused issues, then will the solution for this, is to simply add the "BUILTIN\Administrators" back to the "Farm Admins" group??

Answer 1

Removing BUILTIN\Administrators is perfectly acceptable. Farm Admins do not have access to sites by default. What you're probably seeing is permissions granted on the Web Application User Policy are allowing the Farm Admins to access all Site Collections.

And yes, you can simply add the group back to the Farm Admins group.