May 20, 2014 at 12:28 pm
We have a requirement in our organization that all SQL Logins will have the CHECK_EXPIRATION option enabled, including the ##MS_PolicyEventProcessingLogin## and ##MS_PolicyTsqlExecutionLogin## accounts.
What will happen when we reach the password expiration date if we enable the CHECK_EXPIRATION option for these two accounts? Will it have an adverse affect on SQL Server or its ability to process client requests?
May 20, 2014 at 1:28 pm
Both these events are related to Policy Based Management, and if you don't use PBM nothing can happen. And I don't think anything can happen even if you use PBM. ##MS_PolicyTsqlExecutionLogin## is used for the ExecuteAs() function in PBM, and the idea that you grant this login permission as needed. I have not been able to find out what the other login is for.
Note that they are both disabled by default.
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]
May 21, 2014 at 2:05 pm
Thanks Erland. We too have not had much luck on locating information regarding these accounts (except for how to recreate them). As you suggest, the fact that these come disabled is probably the greatest clue as to their expected behavior.
Since time is running out before go-live, we decided to just give it a try and thus far the instance and databases seem to be operating as before. PBM seems to be unaffected as well, so we are cautiously optimistic that we won't run into problems down the road. The passwords were just past their expiration dates when we enabled the CHECK_EXPIRATION option so we conveniently had some immediate results.
Hopefully this information is helpful to anyone else encountering this situation. If anybody knows of or learns of a situation where enabling the CHECK_EXPIRATION option is detrimental, I'd be very interested in hearing about it.
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply