Thursday, July 14, 2011

Last week one of my team members was supposed to create a SQL Authenticated ID on a SQL Server 2005 instance. This was as per the request of the Application team who would be using it for an Application.

Since this is a routine task, the DBA created the ID. After passing on the credentials to the Application team, they started complaining that the application is unable to connect to the database using that ID. When the DBA tried connecting to the instance using that ID he got Reason: The password of the account has expired error. In SSMS the Login Properties looked like this.

Since this is an application id, the requirement is the password should never expire. But the DBA had forgot to uncheck the Enforce password policy and User must change password at next login checkbox while creating the ID (these are by default selected). When the application tried connecting to the instance for the first time, the password had expired and it prompted it to be changed. Now the DBA realized the mistake he had done, he uncheck Enforce password policy option and clicked on Ok in SSMS. It was not supposed to be that easy and he got the following error message.

1
2
The CHECK_POLICY and CHECK_EXPIRATION options cannot be turned OFF when MUST_CHANGE is ON.
(Microsoft SQL Server, Error: 15128)

Since the password had already expired, SQL Server was not allowing to be changed with the existing options. Also you will notice that in the above screenshot the User must change password at next login checkbox is grayed out. The only option to overcome this situation was to change the password after disabling the Login Policy check. Here is the query which was used to fix this issue.

1
2
3
4
ALTER LOGIN [LoginName]
WITH PASSWORD = 'newpassword',
CHECK_POLICY = OFF,
CHECK_EXPIRATION = OFF

With this query, the password was successfully changed and the Policy check was disabled as per the requirement.

1 Comment:

  1. Anonymous said...
    use master
    ALTER LOGIN [sa]
    WITH PASSWORD = 'newpassword'

    ALTER LOGIN [sa]with
    CHECK_POLICY = OFF,
    CHECK_EXPIRATION = OFF

Post a Comment