This post is based on an interesting question/situation that was posted over at ASKSSC.com today. The user asked how to create a policy condition that enforces local sql accounts to adhere to password expiration policies.
First off, to create the condition itself is relatively easy. Below I’ve provided the T-SQL code so that you can create the condition that way. I’ve also included a quick list on how to create it via SSMS GUI.
T-SQL method:
<span class="kwrd">Declare</span> @condition_id <span class="kwrd">int</span> <span class="kwrd">EXEC</span> msdb.dbo.sp_syspolicy_add_condition @name=N<span class="str">'Password Policy Enforced'</span>, @description=N<span class="str">''</span>, @facet=N<span class="str">'Login'</span>, @expression=N<span class="str">'<Operator> <TypeClass>Bool</TypeClass> <OpType>AND</OpType> <Count>2</Count> <Operator> <TypeClass>Bool</TypeClass> <OpType>EQ</OpType> <Count>2</Count> <Attribute> <TypeClass>Bool</TypeClass> <Name>PasswordExpirationEnabled</Name> </Attribute> <Function> <TypeClass>Bool</TypeClass> <FunctionType>True</FunctionType> <ReturnType>Bool</ReturnType> <Count>0</Count> </Function> </Operator> <Operator> <TypeClass>Bool</TypeClass> <OpType>EQ</OpType> <Count>2</Count> <Attribute> <TypeClass>Bool</TypeClass> <Name>PasswordPolicyEnforced</Name> </Attribute> <Function> <TypeClass>Bool</TypeClass> <FunctionType>True</FunctionType> <ReturnType>Bool</ReturnType> <Count>0</Count> </Function> </Operator> </Operator>'</span>, @is_name_condition=0, @obj_name=N<span class="str">''</span>, @condition_id=@condition_id <span class="kwrd">OUTPUT</span> <span class="kwrd">Select</span> @condition_id GO
SSMS method:
- Under PBM node, right-click conditions folder and select New Condition
- Name your new condition something useful
- Select Login facet from drop-down menu
- Click on field box and select @PasswordExpirationEnabled from properties list
- Set the operator value to True
- Click on ‘Click here to add clause’ to add another clause to policy
- Click on field box and select @PasswordPolicyEnforced from properties list
- Set the operator value to True
- Click OK. You’ve now just created a new condition!
Now we’re left with another question: Where does this password policy come from? For details on that you can refer to the Books Online article about it (link). If your box is on a domain that has Active Directory policies regarding password expiration, when you select the box for ‘Enforce password policy’ as well as ‘Enforce password expiration’, these settings will come from that policy. Don’t have an Active Directory policy? No problem! If a policy isn’t provided from Active Directory, Windows then looks to its local security policies for these values.
To see the local values, click on your Start button, then type in ‘secpol.msc’ (don’t type type the single-quotes). This will open up the Local Security Policy MMC Snap-in. Expand the Account Policies folder and then click on the Password Policy folder. In the right side pane you will see the various password-related options you can set such as Maximum password age or password length.
While policy-based management can help you check whether or not the accounts have the option enabled to enforce the policy checks, Policy-based management itself has not bearing on the Local Security Policy settings. This is something you, as an administrator, will have to set and configure outside of SQL Server.