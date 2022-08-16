In this article, I will help you how to set secure SA passwords for bulk servers, sometimes, we have many SQL server instances in our company environment, the amount of it may over hundreds, and for security requirements, you may need to make the SA password of them different and enough safe, there will be too much manually tasks if you do it manually, so the best practice we can bulk set the SA password by the script and store it securely.

Use PowerShell to generate the list stored safe random password

First, you should create a server list including all SQL Servers SA passwords that need to be updated, e.g. "C:\Users\***\Desktop\Serverlist.txt" is the server list in the script

$servers = Get-Content "C:\Users\***\Desktop\Serverlist.txt" Function New-RandomPassword { [CmdletBinding()] param( [Parameter( Position = 0, Mandatory = $false )] [ValidateRange(5,79)] [int] $Length = 16, [switch] $ExcludeSpecialCharacters ) BEGIN { $SpecialCharacters = @((33,35) + (37..38) + (42..44) + (60,62,63,64) + (91..94)) # remove " - 34 # remove $ - 36 # remove ' - 39 # remove = - 61 } PROCESS { try { if (-not $ExcludeSpecialCharacters) { $Password = -join ((48..57) + (65..90) + (97..122) + $SpecialCharacters | Get-Random -Count $Length | foreach {[char]$_}) } else { $Password = -join ((48..57) + (65..90) + (97..122) | Get-Random -Count $Length | foreach {[char]$_}) } } catch { Write-Error $_.Exception.Message } } END { Write-Output $Password } } foreach ($ser in $servers){ $sapassword = New-RandomPassword -Length 16 $TestResult = New-Object psobject -Property @{ InstanceName = $ser SaPassword = $sapassword } $TestResult | Select-Object InstanceName,SaPassword | Export-Csv -Path "C:\Users\***\Desktop\SQL_SA_pwd.csv" -NoTypeInformation -Append }

Notes: I removed the special character "$" in the password generation candidate characters because it will cause the issue it is called a reference variable not a special character in the password string!

Here is the ASCII code of the printable characters, you can add or remove some of them in the variable definition($SpecialCharacters) in my script:

Also, you can change the length of the password with the parameter "-Length" to meet your company security policy.

Bulk reset the SA passwords

Once we get the generated SA passwords list e.g. "C:\Users\***\Desktop\SQL_SA_pwd.csv", we can use the following PowerShell script to bulk reset

$Servers = Import-Csv "C:\Users\***\Desktop\SQL_SA_pwd.csv" foreach ($Server in $Servers) { $sa = $Server.SaPassword $StringArray = "sapwd=$sa" Invoke-Sqlcmd -ServerInstance $Server.InstanceName -Database master -Query "ALTER LOGIN sa WITH PASSWORD = '$(sapwd)'; GO" -Variable $StringArray }

Notes: Before running the script please make sure you already installed the PowerShell module "sqlserver" on your PC!

Verify the SA passwords changed

Last but not least we need to verify the SA passwords change results, due to some reasons, the SA password may change failed, so please use the following PowerShell script to check that:

$Servers = Import-Csv "C:\Users\***\Desktop\SQL_SA_pwd.csv" foreach ($Server in $Servers) { $sa = $Server.SaPassword $StringArray = "sapwd=$sa" Invoke-Sqlcmd -ServerInstance $Server.InstanceName -Database master -Query "SELECT @@SERVERNAME AS ServerName,CASE WHEN (SELECT name FROM sys.sql_logins WHERE PWDCOMPARE('$(sapwd)', password_hash) = 1) = 'sa' THEN 'Yes' ELSE 'No' END saPasswordCorrect; GO" -Variable $StringArray | Export-Csv -Path C:\Users\***\Desktop\SQL_SA_check.csv -Append -NoTypeInformation }

Check results e.g. "C:\Users\***\Desktop\SQL_SA_check.csv":

If the value of "saPasswordCorrect" is "Yes" it means the SA passwords changed successfully.

And when all things are finished you should safely store the password file, you can import them into the password central management platform or tools.

Unlock the SA password(if needed)

If your SA passwords were locked, but you do not want to change them you can use the following SQL script:

ALTER LOGIN sa WITH CHECK_POLICY = OFF; ALTER LOGIN sa with CHECK_POLICY = ON; GO