so we can check logins that must change passwords

Author: SQLDBAWithABeard

developing/Robs-Instance.ps1

@@ -16,6 +16,7 @@ $Checks = 'LoginAuditSuccessful'
 $Checks = 'LoginCheckPolicy'
 $Checks = 'SuspectPageLimit'
 $Checks = 'SupportedBuild'
+$Checks = 'LoginMustChange'
 $Checks = 'LoginAuditSuccessful', 'LoginAuditFailed'
 
 Invoke-PerfAndValidateCheck -Checks $Checks

source/checks/Instancev5.Tests.ps1

@@ -227,6 +227,15 @@ Describe "Login Check Policy" -Tag LoginCheckPolicy, Security, CIS, Medium, Inst
     }
 }
 
+Describe "Login Must Change" -Tag LoginMustChange, Security, CIS, Medium, Instance -ForEach $InstancesToTest {
+    $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.security.LoginMustChange' }).Value
+    Context "Testing if the new SQL logins that have not logged have to change their password when they log in on <_.Name>" {
+        It "All new sql logins should have the have to change their password when they log in for the first time on <_.Name>" -Skip:$skip {
+            $PsItem.LoginMustChangeCount | Should -Be 0 -Because "We expected the all the new sql logins to have to change the password on first login"
+        }
+    }
+}
+
 Describe "Instance MaxDop" -Tag MaxDopInstance, MaxDop, Medium, Instance -ForEach ($InstancesToTest | Where-Object { $psitem.Name -notin $psitem.ConfigValues.ExcludeInstanceMaxDop }) {
     $skip = ($__dbcconfig | Where-Object { $_.Name -eq 'skip.instance.MaxDopInstance' }).Value
     Context "Testing Instance MaxDop Value on <_.Name>" {

source/internal/assertions/Instance.Assertions.ps1

@@ -717,7 +717,7 @@ function Get-AllInstanceInfo {
                     $role = Get-DbaServerRole -SqlInstance $instance -ServerRole "sysadmin"
 
                     $LoginMustChange = [pscustomobject] @{
-                        Count = @(Get-DbaLogin -SqlInstance $instance -Login @($role.Login) -Type SQL | Where-Object { $_.MustChangePassword -eq $false -and $_.IsDisabled -eq $false -and $null -eq $_LastLogin }).Count
+                        Count = @(Get-DbaLogin -SqlInstance $instance -Login @($role.Login) -Type SQL | Where-Object { $_.MustChangePassword -eq $false -and $_.IsDisabled -eq $false -and $null -eq $_.LastLogin }).Count
                     }
                 } catch {
                     $There = $false

source/internal/functions/NewGet-AllInstanceInfo.ps1

@@ -461,6 +461,15 @@ function NewGet-AllInstanceInfo {
             }
         }
 
+        'LoginMustChange' {
+            $loginTimeSql = "SELECT login_name, MAX(login_time) AS login_time FROM sys.dm_exec_sessions GROUP BY login_name"
+            $loginTimes = $instance.ConnectionContext.ExecuteWithResults($loginTimeSql).Tables[0]
+            $lastlogin = @{Name = 'LastLogin' ; Expression = { $Name = $_.name; ($loginTimes | Where-Object { $_.login_name -eq $name }).login_time
+                }
+            }
+            $LoginMustChangeCount = ($Instance.Logins | Where-Object { $_.Name -in $Instance.Roles['sysadmin'].EnumMemberNames() } | Select-Object Name, $lastlogin, MustChangePassword, IsDisabled | Where-Object { $_.MustChangePassword -eq $false -and $_.IsDisabled -eq $false -and $null -eq $_.LastLogin }).Count
+        }
+
         Default { }
     }
 
@@ -563,6 +572,7 @@ function NewGet-AllInstanceInfo {
         HideInstance           = $HideInstance
         SuspectPageCountResult = $SuspectPageCountResult
         SupportedBuild         = $SupportedBuild
+        LoginMustChangeCount   = $LoginMustChangeCount
         # TempDbConfig          = [PSCustomObject]@{
         #     TF118EnabledCurrent     = $tempDBTest[0].CurrentSetting
         #     TF118EnabledRecommended = $tempDBTest[0].Recommended