<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
Article Discussions
»
Article Discussions by Author
»
Discuss content posted by Dr. Diana Dee
»
Password policies checked by CHECK_POLICY
26 posts, Page 1 of 3
1
2
3
»
»»
Password policies checked by CHECK_POLICY
Rate Topic
Display Mode
Topic Options
Author
Message
Dr. Diana Dee
Dr. Diana Dee
Posted Saturday, November 22, 2008 2:24 PM
SSCrazy
Group: General Forum Members
Last Login: Friday, April 19, 2013 3:02 PM
Points: 2,768,
Visits: 108
Comments posted to this topic are about the item
Password policies checked by CHECK_POLICY
Post #607080
Mohit K. Gupta
Mohit K. Gupta
Posted Saturday, November 22, 2008 11:27 PM
SSC Eights!
Group: General Forum Members
Last Login: Friday, May 17, 2013 12:37 PM
Points: 941,
Visits: 1,041
That is interseting .. I didn't expect that answer.
I expected if SQL Server was told not to force password expirey then following will not be checked:
Enforce password history
Minimum password age
Simplying the following:
Minimum password length
Password must meet complexity requirements
But as I said I assumed, so even though the password does not expire. User can still change their password multiple times. So in your experiment you tried to change password, and it didn't let you change password too soon? And it kept the history for previous password? Thanks for the good question :). I'll have to remeber that.
---
Mohit K. Gupta, MCITP: Database Administrator (2005),
My Blog
, Twitter:
@SQLCAN
.
Microsoft FTE - SQL Server PFE
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing.
How to ask for help .. Read Best Practices
here
.
Post #607143
Dr. Diana Dee
Dr. Diana Dee
Posted Sunday, November 23, 2008 9:00 AM
SSCrazy
Group: General Forum Members
Last Login: Friday, April 19, 2013 3:02 PM
Points: 2,768,
Visits: 108
Yes, I expected only
Complexity, and
Minimum Length
policies to be checked by CHECK_POLICY.
However, in my experiments, with a SQL Server login having only CHECK_POLICY in effect (but not CHECK_EXPIRATION), when minimum age was set, I could not change the password until then, and with History set I could not change the password to the same one for as many as specified by the History.
Try it and let me know if you get different behavior.
)
Post #607199
majorbloodnock
majorbloodnock
Posted Monday, November 24, 2008 2:18 AM
Ten Centuries
Group: General Forum Members
Last Login: Wednesday, May 01, 2013 9:44 AM
Points: 1,043,
Visits: 2,943
At the risk of being obvious, your scenario mentions SQL 2005 running on Windows Server 2003, whilst your tests were SQL 2005 running on Vista. Have you subsequently carried out the same tests on Windows Server 2003 to verify you get the same results?
Semper in excretia, sumus solum profundum variat
Post #607368
Dr. Diana Dee
Dr. Diana Dee
Posted Monday, November 24, 2008 2:35 AM
SSCrazy
Group: General Forum Members
Last Login: Friday, April 19, 2013 3:02 PM
Points: 2,768,
Visits: 108
If you have Server 2003, perhaps you could run the experiment and report back to us. NT version 5.2 and version 6.0 should behave the same with respect to policies, but you never know.
I have not had Latin since high school. Please translate.
)
Post #607375
majorbloodnock
majorbloodnock
Posted Monday, November 24, 2008 2:45 AM
Ten Centuries
Group: General Forum Members
Last Login: Wednesday, May 01, 2013 9:44 AM
Points: 1,043,
Visits: 2,943
Dr. Diana Dee (11/24/2008)
If you have Server 2003, perhaps you could run the experiment and report back to us. NT version 5.2 and version 6.0 should behave the same with respect to policies, but you never know.
I'll see if I can, but not too sure how quickly I'll be able to come up with an answer - time constraints just like most of us....
I have not had Latin since high school. Please translate.
He, he. You're not the first to ask. Literally, it translates to "Always in the manure; it's only the depth that varies" :D
Semper in excretia, sumus solum profundum variat
Post #607378
Dr. Diana Dee
Dr. Diana Dee
Posted Monday, November 24, 2008 3:03 AM
SSCrazy
Group: General Forum Members
Last Login: Friday, April 19, 2013 3:02 PM
Points: 2,768,
Visits: 108
That reminds me of what motivational speaker Doug Wead said:
"If you don't have any horses, your barn will be clean."
)
Post #607382
craigpessano
craigpessano
Posted Monday, November 24, 2008 7:27 AM
SSCarpal Tunnel
Group: General Forum Members
Last Login: Friday, May 17, 2013 2:51 PM
Points: 4,003,
Visits: 1,485
I tried this out on Windows 2003 to see how it reacts (Windows 2003 SP2; SQL Server 2005 Standard SP2 64-bit).
Using the SSMS GUI, the following commands are issued.
-- Create the login
CREATE LOGIN [xxx] WITH PASSWORD=N'qwerty12!', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
--Command(s) completed successfully.
-- Change the password
ALTER LOGIN [xxx] WITH PASSWORD=N'zxcvbn12!'
--Command(s) completed successfully.
-- Change the password back to the original password
ALTER LOGIN [xxx] WITH PASSWORD=N'qwerty12!'
--Command(s) completed successfully.
-- Change to a password that is too short
ALTER LOGIN [xxx] WITH PASSWORD=N'abc'
--Msg 15116, Level 16, State 1, Line 1
--Password validation failed. The password does not meet Windows policy requirements because it is too short.
-- Change to a password that is not complex enough
ALTER LOGIN [xxx] WITH PASSWORD=N'abcdefgh'
--Msg 15118, Level 16, State 1, Line 1
--Password validation failed. The password does not meet Windows policy requirements because it is not complex enough.
From the above, the only two things that are enforced are
(1) Minimum password length
(2) Password must meet complexity requirements
NOTE that the GUI does not specify OLD_PASSWORD.
Now let's try changing the password this time including the OLD_PASSWORD.
-- Change the password to a previously used password, specifying the old password
ALTER LOGIN xxx WITH PASSWORD = 'zxcvbn12!' OLD_PASSWORD = 'qwerty12!'
--Msg 15115, Level 16, State 1, Line 1
--Password validation failed. The password cannot be used at this time.
-- Change the password to a completely new password, specifying the old password
ALTER LOGIN xxx WITH PASSWORD = 'asdfgh12!' OLD_PASSWORD = 'qwerty12!'
--Command(s) completed successfully.
Interestingly, the old password does not seem to be required, but if specified SQL Server appears to check password history.
-- Clean up
DROP LOGIN xxx
Post #607520
Mohit K. Gupta
Mohit K. Gupta
Posted Monday, November 24, 2008 7:50 AM
SSC Eights!
Group: General Forum Members
Last Login: Friday, May 17, 2013 12:37 PM
Points: 941,
Visits: 1,041
Old Password is required if a user was changing the password. If you were changing the password with SysAdmin account it doesn't care. It allows for force over-write. Just in case user lock out their account and you need to reset the password :).
I tried in SQL Server 2005, SP2.
When I set the password using SA, no issues. I logged on to the user and did password set, and I get this message:
Msg 15151, Level 16, State 1, Line 1
Cannot alter the login 'test', because it does not exist or you do not have permission.
:).
---
Mohit K. Gupta, MCITP: Database Administrator (2005),
My Blog
, Twitter:
@SQLCAN
.
Microsoft FTE - SQL Server PFE
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing.
How to ask for help .. Read Best Practices
here
.
Post #607534
Steve Jones - SSC Editor
Steve Jones - SSC Editor
Posted Monday, November 24, 2008 8:12 AM
SSC-Dedicated
Group: Administrators
Last Login: Today @ 6:14 PM
Points: 31,421,
Visits: 13,734
Vista should exceed W2K3 in what is support, if I remember correctly. I don't have a W2K3 server to check on at the moment, but I'll try to later.
Follow me on Twitter:
@way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
Post #607559
« Prev Topic
|
Next Topic »
26 posts, Page 1 of 3
1
2
3
»
»»
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
