Brian, thanks for a very instructive article.

One question, though:

Is there any way of changing the default for CHECK_POLICY in CREATE LOGIN to be NO, rather than YES?

I have a third-party application that creates new logins as part of creating its own user setup, and it encrypts the database passwords to prevent direct DB access. However, this version is still using sp_addlogin and fails as the encrypted password don't always pass the policy check (which is also out of my control!) so I have to create all the logins manually, which is getting dull.

There is often a trace flag for this kind of thing, but I can't find anything on the 'net.