How To Check SQL Logins Without Password Policy Enforced or Password Expiration Enabled Using Policy Based Management

Policy-Based Management is a feature that is introduced with SQL Server 2008. It allows us to set the rules we want in our systems, to set our standards and to make our controls automatically. For example, we can create a policy for control purposes so that the names of our stored procedures do not start with a number or database recovery models are not simple.

I recommend that you read the article “SQL Server Password Policy” before reading this article.

To comprehend Policy Based Management (PBM), you need to understand some concepts.

Facet

A feature that can be managed by PBM. For example, there is a facet called Login. And you can use this facet to create a policy that checks whether the password policy is applied to Logins.

You can access all facets via SSMS as follows. To access the facet details, you must double-click on it.

Condition

Checks whether the sub-property of the related facets provide the specified condition.

Let’s create a policy that checks whether the password policy is forced to logins.

Right click Policies tab as follows from the Management> Policy tab and click New Policy.

We give a name to Policy on the screen that appears. We need to create a condition from Check Condition.

We’re clicking on New Condition.

We give a name to the condition from the screen that appears.

In Facet section, we select Login facet because we will check the login.

In the Expression section, click on “…” and select @PasswordPolicyEnforced and @ PasswordExpirationEnabled, which are the sub-properties of the Login facet, as follows:

By selecting On Schedule from the Evaluation Mode, we select the interval at which the policy will be checked and then click the Enable check box.

If we choose On Demand, it only checks when we execute policy.

If you have a server-based condition, you can create a server-based condition from the server restriction section.

If you want it to be checked automatically at certain intervals, click New in the Schedule section and determine the frequency that the policy will check the condition. We set it up to work once every day at 12: 00: 000 PM.

From the “Againts targets” section, LoginCondition will run by default for every login.

Let’s set it to check only SQL Login. Click New Condition by clicking the sign to the right of Every.

Since we only want to check SQL Login, select Login from Facet and then LoginType which is the sub-feature of Login Facet as follows.

After changing Target, our main screen will change as follows. As you can see, the OnlySqlLogins condition is replaced by Every.

We created our policy. We click Evaluate as below to run it manually.

I got a result as follows in my local.

When we click on View, we can see why the policy is failed.

When you refresh the instance, a red color x sign appears on the left side of the instance, that looks like the letter. The reason for this is that we have a policy that is failed on the instance. When you see this mark, you must look at the defined policies and fulfill their requirements.

After making the necessary corrections to the policy settings of the logins, this mark will disappear when we re-evaluate the policy as described above. I have already explained in my article “How To Create a Login On SQL Server(Manage Logins)” how to set the policy settings for the login.

With Policy Based Management, you can check many things on SQL Server. And I think a professional database manager should use this feature that SQL Server offers us. You can find more articles on Policy Based Management at the following links.

How To Check the Compatibility Level of Databases Using Policy Based Management“,

How To Check Recovery Model of All Databases Using Policy Based Management“,

“How To Check Stored Procedure Names Using Policy Based Management“,

“How To Check VLF Counts in the Databases Using Policy Based Management”,

“How To Check SQL Logins That Password Policy Enforced or Password Expiration Enabled Using Policy Based Management”,

“How To Check Disabled Audits Using Policy Based Management”,

“How To Check Auto Shrink Option of Databases Using Policy Based Management”,

“How To Check Whether Availability Groups is Ready To Failover Using Policy Based Management”,

“How To Check Availability Group’s Backup Preference Using Policy Based Management”,

“How To Check Availability Group Automatic Failover Settings Using Policy Based Management”,

“How To Check Whether Readable Secondary is Enabled on Availability Groups Using Policy Based Management”,

“How To Check Whether Data File Sizes is Reached a Specific Size Using Policy Based Management”,

“How To Check Auto Close Option of Databases Using Policy Based Management”,

“How To Check Last Log Backup Time Using Policy Based Management”,

“How To Check Page Verify Option of Databases Using Policy Based Management”

dbtut
Author: dbtut

We are a team with over 10 years of database management and BI experience. Our Expertises: Oracle, SQL Server, PostgreSQL, MySQL, MongoDB, Elasticsearch, Kibana, Grafana.

Leave a Reply

Your email address will not be published. Required fields are marked *