|
I was asked to come out with the policy in such away that only sql server logins password expiries every 90 days can anyone help me in scripting this in a condition? On the web i found only few screen shots how to create a policy.....
(comments are locked)
|
|
Are you referring to Windows authentication? If so, the AD administrator controls how long the password reset must occur. With PBM you can, however, make sure that the account you add to the server has password expiration enabled as well as enforcing your AD's password policy. Here is the T-SQL to create this condition: You can run this T-SQL and it will create the condition. Once its created, you can open it in the GUI (the condition will appear in the conditions folder under Policy-Based Management node in SSMS). If you'd like a comprehensive resource on PBM, check out the book Pro SQL Server 2008 Policy-Based Management (I co-authored it). Just a quick run-down of how I came up with that code above:
To use this in a policy just right-click policy folder, select new policy and from the condition drop down select the condition you created in the above steps.
May 04 '11 at 01:07 PM
Jorge Segarra
@Jorge Segarra I formatted your script, hope you don't mind :)
May 04 '11 at 01:07 PM
Oleg
i have the windows accounts to run the services only and the expiration of that is set to one year. I am using sql server authentication for users connectivity and application connectivity.I am assigned the task to impliment password policy using PBM on sql server authenticated accounts only.
May 04 '11 at 01:08 PM
ak1516
In that case, follow the condition steps I outlined above and add one more clause. You want to select the property of @LoginType = SqlLogin
May 04 '11 at 01:10 PM
Jorge Segarra
Excellent, thank you Oleg!
May 04 '11 at 01:10 PM
Jorge Segarra
(comments are locked)
|
|
Update to this post: You can use extended properties on sql logins to do what you were asking for here. I wrote up a post last night about expiring databases but you can easily change the condition to look at extended properties on logins as well: http://sqlchicken.com/2011/10/expiring-databases-and-policy-based-management/
(comments are locked)
|
|
FYI I wrote up a blog post summarizing this setup, hope it helps: http://sqlchicken.com/2011/05/policy-based-management-and-local-password-policy/
(comments are locked)
|
|
Where are we setting the logic saying password expires in 90 days?...sorry for asking like this... I am new bee to PBM Hehe no apologies needed! That is set when you create the sql login itself. Refer to the BOL page on password policy http://msdn.microsoft.com/en-us/library/ms161959.aspx
May 04 '11 at 01:15 PM
Jorge Segarra
(comments are locked)
|
|
Ok I think i might of explained my problem wrong.Is it possible to create a custom policy? If i check the policy when creating the account it uses my windows password policy but i do not want that to happen for the sql logins. Having a separate custom policy for the sql logins would be helpful. Ah, in that case no, not really. While the feature is called "Policy-Based Management", what you're looking for is Windows-based. The password policy for local SQL accounts is keyed off of either the local security policy (on the Windows box the SQL Server resides on), or the overall password policy set via Active Directory policies.
May 04 '11 at 01:30 PM
Jorge Segarra
I am trying to implement policy based management feature for sql logins.Is there a way ?
May 04 '11 at 01:34 PM
ak1516
Policy-based management works with sql logins but not for what you're asking for. The password expiration policy is a Windows setting. Policy-based management is aimed towards SQL Server objects and settings, not Windows.
May 04 '11 at 01:48 PM
Jorge Segarra
Okie i am looking for sql logins only.
May 04 '11 at 01:56 PM
ak1516
(comments are locked)
|
