locked
Local security policies and sql service account "Login property" options RRS feed

  • Question

  • For sql service accounts we want to enforce both password length and complexity requirements but not expiration. The local security policy of the server sql is installed on uses the Domain policy which also includes the "maximum password age" (that we do NOT want to enforce).

    The SSMS "New Login" dialog box contains several options related to passwords. If we select "Enforce password policy" but NOT the "Enforce password expiration" option will this give us what we want? (i.e. length an complexity requirements YES;  password expiration NO).

    TIA,

    edm2

    Thursday, October 26, 2017 9:51 PM

Answers

  • Hi edm2,

    According to your description, it looks like that what you mentioned is SQL Server logins.

    SQL Server can apply the same complexity and expiration policies used in Windows to passwords used inside SQL Server. Password expiration policies are used to manage the lifespan of a password. When SQL Server enforces password expiration policy, users are reminded to change old passwords, and accounts that have expired passwords are disabled.

    In your scenario, if you did not select the "Enforce password expiration" option, it will not enforce this policy.

    Best Regards,

    Teige


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by edm2 Tuesday, October 31, 2017 1:16 AM
    Monday, October 30, 2017 7:46 AM

All replies

  • I may be missing something, but how would you be able to configure the password policy for Windows accounts from SSMS? Don't you need to that from the AD?

    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

    Thursday, October 26, 2017 9:57 PM
  • Erland,

    I am concerned with the impact of the local security policies on sql accounts not windows accounts (which are handled automatically via the Domain Group policies).

    edm2

    Thursday, October 26, 2017 11:46 PM
  • I am concerned with the impact of the local security policies on sql accounts not windows accounts (which are handled automatically via the Domain Group policies).

    But you asked about the service account for SQL Server, or at least that was my interpretation. And the service account is a Windows user.

    Or do you mean SQL logins that are used by applications to log in SQL Server? I would suggest that you study the topic for CREATE LOGIN and ALTER LOGIN in Books Online for clarity.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

    Friday, October 27, 2017 9:46 PM
  • Sorry for being unclear. I meant sql service accounts such as "MyDB" which is used by applications to access databases. (not used to run sql server itself). Sorry about that.

    edm2

    Saturday, October 28, 2017 12:06 AM
  • Hi edm2,

    According to your description, it looks like that what you mentioned is SQL Server logins.

    SQL Server can apply the same complexity and expiration policies used in Windows to passwords used inside SQL Server. Password expiration policies are used to manage the lifespan of a password. When SQL Server enforces password expiration policy, users are reminded to change old passwords, and accounts that have expired passwords are disabled.

    In your scenario, if you did not select the "Enforce password expiration" option, it will not enforce this policy.

    Best Regards,

    Teige


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by edm2 Tuesday, October 31, 2017 1:16 AM
    Monday, October 30, 2017 7:46 AM
  • Thanks Teige.

    edm2

    Tuesday, October 31, 2017 1:16 AM