Home Forums Article Discussions Article Discussions by Author Discuss content posted by Dr. Diana Dee Password policies checked by CHECK_POLICY RE: Password policies checked by CHECK_POLICY

  • November 24, 2008 at 5:54 pm

    #902834

    The wording in Books Online is quite misleading.

    First of all, here is the URL for CREATE LOGIN (Transact-SQL) that has the information you quoted: http://technet.microsoft.com/en-us/library/ms189751.aspx

    Here is the phrase I want to dissect: "CHECK_POLICY = { ON | OFF }

    Applies only to SQL Server logins. Specifies that the Windows password policies of the computer on which SQL Server is running should be enforced on this login. The default value is ON."

    The part of this item that is misleading is: "The password policies of the computer on which SQL Server is running should be enforced on this login."

    That phrase could imply that ALL the password policies are enforced. However, this is not the case. It is only the password policies checked by CHECK_POLICY that are enforced. And CHECK_POLICY definitely does NOT check the Maximum password age policy.

    I created a SQL login with CHECK_POLICY of ON and CHECK_EXPIRATION of OFF. I set the Maximum password age policy to 2 days. Three days later, the SQL login could connect to the database engine.

    ):-D