Policy for certain logins password expiration check

  • I have to create a policy on my server which checks password expiration enabled for each login or not.

    I have certain users, whose passwords never should expire and all of them ends with word β€˜%user’. Like testuser.

    I want the policy to check login name first

    if its like testuser then check-password expiration =Disabled

    If any other login-name then check-password expiration =Enabled

    What condition should I write? I am not sure how to use ExecuteSQL() condition to achieve this. Appreciate any help on this matter.

  • I don't think this is what you need. I searched quite a bit:

    http://blogs.msdn.com/sqlpbm/

    For better, quicker answers on T-SQL questions, click on the following...
    http://www.sqlservercentral.com/articles/Best+Practices/61537/

    For better answers on performance questions, click on the following...
    http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

  • A bit belated, but this should do it:

    First use the Login Options facet to create a condition PwdExpiration with @PasswordExpirationEnabled = False. Then use the Login Options facet to create a condition TestUserPwdExpiration with @name LIKE '%testuser%' Create a policy with the Check Condition PwdExpiration and drop the 'Against targets' field down to select TestUserPwdExpiration.

    Cheers,

    Cath

  • Thanks for your replies.

    So accoring to your answer I need to create 2 conditions

    1) PwdExpiration ---@PasswordExpirationEnabled = False use login options facet

    2) TestUserPwdExpiration---@name LIKE '%testuser%' use login facet

    Now I need to create a policy and associate these 2 conditions to the policy. I have created a policy and first check condition was PwdExpiration

    and under that I have used other condition TestUserPwdExpiration so it checks only logins whose names like '%testuser'.

    This is perfectly fine.

    --------------------------------------------------------

    But I also need to see passwordexpired for other logins like sa or domain\user or other logins not like '%testuser'. and I have to create another policy for this purpose.

    but I dont want to create another policy. Can I use Executesql() task or any other way so that I can chek,

    If username like '%testuser' then pwdexpired =false

    if any other username then pwdexpired = true IN ONE POLICY.

    Thanks

  • Why not add a CASE Statement or some other logic to your query. Maybe I'm missing something. πŸ™‚

    For better, quicker answers on T-SQL questions, click on the following...
    http://www.sqlservercentral.com/articles/Best+Practices/61537/

    For better answers on performance questions, click on the following...
    http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply