Remove-SqlDscLogin: Add KillActiveSessions parameter (#2379)

johlju · web-flow · commit f2da1a28cae8 · 2025-12-26T12:24:42.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -51,6 +51,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   SMO `Database.SetOffline()`. Supports Server and Database pipeline input;
   includes `Force` to disconnect active users
   ([issue #2192](https://github.com/dsccommunity/SqlServerDsc/issues/2192)).
+- `Remove-SqlDscLogin`
+  - Added parameter `-KillActiveSessions` to automatically terminate any active
+    sessions for a login before dropping it
+    ([issue #2372](https://github.com/dsccommunity/SqlServerDsc/issues/2372)).
 
 ### Changed
 
diff --git a/source/Public/Remove-SqlDscLogin.ps1 b/source/Public/Remove-SqlDscLogin.ps1
@@ -14,6 +14,11 @@
     .PARAMETER Name
         Specifies the name of the server login to be removed.
 
+    .PARAMETER KillActiveSessions
+        Specifies that any active sessions for the login should be terminated
+        before attempting to drop the login. This is useful when the login has
+        active connections that would otherwise prevent the drop operation.
+
     .PARAMETER Force
         Specifies that the login should be removed without any confirmation.
 
@@ -23,6 +28,7 @@
         been modified outside of the **ServerObject**, for example through T-SQL.
         But on instances with a large number of logins it might be better to make
         sure the **ServerObject** is recent enough, or pass in **LoginObject**.
+
     .EXAMPLE
         $serverObject = Connect-SqlDscDatabaseEngine -InstanceName 'MyInstance'
         $loginObject = $serverObject | Get-SqlDscLogin -Name 'MyLogin'
@@ -36,6 +42,13 @@
 
         Removes the login named **MyLogin**.
 
+    .EXAMPLE
+        $serverObject = Connect-SqlDscDatabaseEngine -InstanceName 'MyInstance'
+        $serverObject | Remove-SqlDscLogin -Name 'MyLogin' -KillActiveSessions -Force
+
+        Removes the login named **MyLogin** after terminating any active sessions
+        for the login.
+
     .INPUTS
         `Microsoft.SqlServer.Management.Smo.Server`
 
@@ -68,6 +81,10 @@ function Remove-SqlDscLogin
         [System.String]
         $Name,
 
+        [Parameter()]
+        [System.Management.Automation.SwitchParameter]
+        $KillActiveSessions,
+
         [Parameter()]
         [System.Management.Automation.SwitchParameter]
         $Force,
@@ -106,6 +123,44 @@ function Remove-SqlDscLogin
 
         if ($PSCmdlet.ShouldProcess($verboseDescriptionMessage, $verboseWarningMessage, $captionMessage))
         {
+            if ($KillActiveSessions.IsPresent)
+            {
+                $serverObjectToUse = $LoginObject.Parent
+
+                Write-Debug -Message (
+                    $script:localizedData.Login_Remove_KillingActiveSessions -f $LoginObject.Name
+                )
+
+                $processes = $serverObjectToUse.EnumProcesses($LoginObject.Name)
+
+                $originalErrorActionPreference = $ErrorActionPreference
+
+                $ErrorActionPreference = 'Stop'
+
+                # cSpell:ignore Spid
+                foreach ($process in $processes.Rows)
+                {
+                    Write-Debug -Message (
+                        $script:localizedData.Login_Remove_KillingProcess -f $process.Spid, $LoginObject.Name
+                    )
+
+                    # Ignore errors if process already terminated.
+                    try
+                    {
+                        $serverObjectToUse.KillProcess($process.Spid)
+                    }
+                    catch
+                    {
+                        # Ignore error if process already terminated.
+                        Write-Debug -Message (
+                            $script:localizedData.Login_Remove_KillProcessFailed -f $process.Spid, $_.Exception.Message
+                        )
+                    }
+                }
+
+                $ErrorActionPreference = $originalErrorActionPreference
+            }
+
             try
             {
                 $originalErrorActionPreference = $ErrorActionPreference
diff --git a/source/en-US/SqlServerDsc.strings.psd1 b/source/en-US/SqlServerDsc.strings.psd1
@@ -101,6 +101,9 @@ ConvertFrom-StringData @'
     # This string shall not end with full stop (.) since it is used as a title of ShouldProcess messages.
     Login_Remove_ShouldProcessCaption = Remove login on instance
     Login_Remove_Failed = Removal of the login '{0}' failed. (RSDL0001)
+    Login_Remove_KillingActiveSessions = Killing active sessions for login '{0}'. (RSDL0002)
+    Login_Remove_KillingProcess = Killing process with SPID '{0}' for login '{1}'. (RSDL0003)
+    Login_Remove_KillProcessFailed = Failed to kill process with SPID '{0}'. It may have already terminated. Error: {1} (RSDL0004)
 
     ## Enable-SqlDscLogin
     Login_Enable_ShouldProcessVerboseDescription = Enabling the login '{0}' on the instance '{1}'.
diff --git a/tests/Integration/Commands/Remove-SqlDscLogin.Integration.Tests.ps1 b/tests/Integration/Commands/Remove-SqlDscLogin.Integration.Tests.ps1
@@ -157,4 +157,72 @@ Describe 'Remove-SqlDscLogin' -Tag @('Integration_SQL2017', 'Integration_SQL2019
             $loginExists | Should -BeFalse
         }
     }
+
+    Context 'When using the KillActiveSessions parameter' {
+        BeforeAll {
+            $script:testLoginName4 = 'TestRemoveLogin4'
+            $script:testLoginPassword4 = ConvertTo-SecureString -String 'P@ssw0rd4!' -AsPlainText -Force
+            $script:testCredential4 = [System.Management.Automation.PSCredential]::new($script:testLoginName4, $script:testLoginPassword4)
+        }
+
+        AfterEach {
+            # Clean up any remaining sessions
+            if ($script:activeConnection)
+            {
+                Disconnect-SqlDscDatabaseEngine -ServerObject $script:activeConnection -ErrorAction 'SilentlyContinue'
+                $script:activeConnection = $null
+            }
+
+            # Clean up the login if it still exists
+            $loginExists = Test-SqlDscIsLogin -ServerObject $script:serverObject -Name $script:testLoginName4
+
+            if ($loginExists)
+            {
+                # Use KillActiveSessions to ensure cleanup
+                $script:serverObject | Remove-SqlDscLogin -Name $script:testLoginName4 -KillActiveSessions -Force -ErrorAction 'SilentlyContinue'
+            }
+        }
+
+        It 'Should remove a login with active sessions when using KillActiveSessions parameter' {
+            # Create the test login
+            $null = $script:serverObject | New-SqlDscLogin -Name $script:testLoginName4 -SqlLogin -SecurePassword $script:testLoginPassword4 -Force
+
+            # Verify the login exists
+            $loginExists = Test-SqlDscIsLogin -ServerObject $script:serverObject -Name $script:testLoginName4
+            $loginExists | Should -BeTrue
+
+            # Connect using the test login to create an active session
+            $script:activeConnection = Connect-SqlDscDatabaseEngine -InstanceName $script:mockInstanceName -LoginType 'SqlLogin' -Credential $script:testCredential4 -ErrorAction 'Stop'
+
+            # Verify there is an active session for this login
+            $processes = $script:serverObject.EnumProcesses($script:testLoginName4)
+            $processes.Rows.Count | Should -BeGreaterThan 0 -Because 'There should be at least one active session for the login'
+
+            # Remove the login with KillActiveSessions - should succeed
+            $script:serverObject | Remove-SqlDscLogin -Name $script:testLoginName4 -KillActiveSessions -Force
+
+            # Verify the login is removed
+            $loginExists = Test-SqlDscIsLogin -ServerObject $script:serverObject -Name $script:testLoginName4
+            $loginExists | Should -BeFalse
+        }
+
+        It 'Should fail to remove a login with active sessions when not using KillActiveSessions parameter' {
+            # Create the test login
+            $null = $script:serverObject | New-SqlDscLogin -Name $script:testLoginName4 -SqlLogin -SecurePassword $script:testLoginPassword4 -Force
+
+            # Verify the login exists
+            $loginExists = Test-SqlDscIsLogin -ServerObject $script:serverObject -Name $script:testLoginName4
+            $loginExists | Should -BeTrue
+
+            # Connect using the test login to create an active session
+            $script:activeConnection = Connect-SqlDscDatabaseEngine -InstanceName $script:mockInstanceName -LoginType 'SqlLogin' -Credential $script:testCredential4 -ErrorAction 'Stop'
+
+            # Verify there is an active session for this login
+            $processes = $script:serverObject.EnumProcesses($script:testLoginName4)
+            $processes.Rows.Count | Should -BeGreaterThan 0 -Because 'There should be at least one active session for the login'
+
+            # Try to remove the login without KillActiveSessions - should fail
+            { $script:serverObject | Remove-SqlDscLogin -Name $script:testLoginName4 -Force -ErrorAction 'Stop' } | Should -Throw
+        }
+    }
 }
diff --git a/tests/Integration/Commands/Restore-SqlDscDatabase.Integration.Tests.ps1 b/tests/Integration/Commands/Restore-SqlDscDatabase.Integration.Tests.ps1
@@ -1044,22 +1044,7 @@ WITH NOINIT, NOSKIP, REWIND, NOUNLOAD, STATS = 10;
 
                 if ($loginObject)
                 {
-                    # Kill any active sessions for this login before dropping using SMO
-                    $processes = $script:serverObject.EnumProcesses($script:lowPrivLoginName)
-
-                    foreach ($process in $processes)
-                    {
-                        try
-                        {
-                            $script:serverObject.KillProcess($process.Spid)
-                        }
-                        catch
-                        {
-                            # Ignore errors if process already terminated
-                        }
-                    }
-
-                    $null = Remove-SqlDscLogin -LoginObject $loginObject -Force -ErrorAction 'SilentlyContinue'
+                    $null = Remove-SqlDscLogin -LoginObject $loginObject -KillActiveSessions -Force -ErrorAction 'SilentlyContinue'
                 }
             }
 
diff --git a/tests/Unit/Public/Remove-SqlDscLogin.Tests.ps1 b/tests/Unit/Public/Remove-SqlDscLogin.Tests.ps1
@@ -53,11 +53,11 @@ Describe 'Remove-SqlDscLogin' -Tag 'Public' {
     It 'Should have the correct parameters in parameter set <MockParameterSetName>' -ForEach @(
         @{
             MockParameterSetName = 'ServerObject'
-            MockExpectedParameters = '-ServerObject <Server> -Name <string> [-Force] [-Refresh] [-WhatIf] [-Confirm] [<CommonParameters>]'
+            MockExpectedParameters = '-ServerObject <Server> -Name <string> [-KillActiveSessions] [-Force] [-Refresh] [-WhatIf] [-Confirm] [<CommonParameters>]'
         }
         @{
             MockParameterSetName = 'LoginObject'
-            MockExpectedParameters = '-LoginObject <Login> [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]'
+            MockExpectedParameters = '-LoginObject <Login> [-KillActiveSessions] [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]'
         }
     ) {
         $result = (Get-Command -Name 'Remove-SqlDscLogin').ParameterSets |
@@ -285,4 +285,125 @@ Describe 'Remove-SqlDscLogin' -Tag 'Public' {
             { Remove-SqlDscLogin -Force @mockDefaultParameters } | Should -Throw -ExpectedMessage '*Removal of the login ''TestLogin'' failed*'
         }
     }
+
+    Context 'When using parameter KillActiveSessions' {
+        BeforeAll {
+            $mockServerObject = New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Server'
+            $mockServerObject.InstanceName = 'TestInstance'
+        }
+
+        BeforeEach {
+            $script:mockMethodDropCallCount = 0
+        }
+
+        Context 'When there are active sessions for the login' {
+            BeforeAll {
+                # The SMO stub EnumProcesses returns a DataTable with SPID 51 for any login name
+                $script:mockLoginObjectWithProcesses = New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
+                    $mockServerObject,
+                    'TestLogin'
+                ) |
+                    Add-Member -MemberType 'ScriptMethod' -Name 'Drop' -Value {
+                        $script:mockMethodDropCallCount += 1
+                    } -PassThru -Force
+
+                $script:mockDefaultParametersWithProcesses = @{
+                    LoginObject        = $script:mockLoginObjectWithProcesses
+                    KillActiveSessions = $true
+                }
+            }
+
+            It 'Should kill active sessions and drop the login' {
+                Remove-SqlDscLogin -Force @mockDefaultParametersWithProcesses
+
+                $script:mockMethodDropCallCount | Should -Be 1
+            }
+        }
+
+        Context 'When using WhatIf with KillActiveSessions' {
+            BeforeAll {
+                $script:mockLoginObjectWhatIf = New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
+                    $mockServerObject,
+                    'TestLogin'
+                ) |
+                    Add-Member -MemberType 'ScriptMethod' -Name 'Drop' -Value {
+                        $script:mockMethodDropCallCount += 1
+                    } -PassThru -Force
+
+                $script:mockDefaultParametersWhatIf = @{
+                    LoginObject        = $script:mockLoginObjectWhatIf
+                    KillActiveSessions = $true
+                }
+            }
+
+            It 'Should not kill sessions or drop the login' {
+                Remove-SqlDscLogin -WhatIf @mockDefaultParametersWhatIf
+
+                $script:mockMethodDropCallCount | Should -Be 0
+            }
+        }
+
+        Context 'When using ServerObject parameter set with KillActiveSessions' {
+            BeforeAll {
+                $mockServerObjectWithProcesses = New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Server'
+                $mockServerObjectWithProcesses.InstanceName = 'TestInstance'
+
+                Mock -CommandName Get-SqlDscLogin -MockWith {
+                    return New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
+                        $mockServerObjectWithProcesses,
+                        'TestLogin'
+                    ) |
+                        Add-Member -MemberType 'ScriptMethod' -Name 'Drop' -Value {
+                            $script:mockMethodDropCallCount += 1
+                        } -PassThru -Force
+                }
+            }
+
+            It 'Should kill active sessions and drop the login' {
+                Remove-SqlDscLogin -ServerObject $mockServerObjectWithProcesses -Name 'TestLogin' -KillActiveSessions -Force
+
+                $script:mockMethodDropCallCount | Should -Be 1
+            }
+
+            It 'Should not kill sessions or drop the login when using WhatIf' {
+                Remove-SqlDscLogin -ServerObject $mockServerObjectWithProcesses -Name 'TestLogin' -KillActiveSessions -Force -WhatIf
+
+                $script:mockMethodDropCallCount | Should -Be 0
+            }
+        }
+
+        Context 'When EnumProcesses returns no active sessions' {
+            BeforeAll {
+                # Create a server object that returns an empty DataTable from EnumProcesses
+                $mockServerObjectNoProcesses = New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Server'
+                $mockServerObjectNoProcesses.InstanceName = 'TestInstance'
+
+                # Override EnumProcesses to return an empty DataTable
+                $mockServerObjectNoProcesses | Add-Member -MemberType 'ScriptMethod' -Name 'EnumProcesses' -Value {
+                    param ($loginName)
+
+                    $dataTable = New-Object -TypeName 'System.Data.DataTable'
+                    $null = $dataTable.Columns.Add('Spid', [System.Int32])
+                    $null = $dataTable.Columns.Add('Login', [System.String])
+
+                    # Return empty DataTable (no rows)
+                    return $dataTable
+                } -Force
+
+                $script:mockLoginObjectNoProcesses = New-Object -TypeName 'Microsoft.SqlServer.Management.Smo.Login' -ArgumentList @(
+                    $mockServerObjectNoProcesses,
+                    'TestLogin'
+                ) |
+                    Add-Member -MemberType 'ScriptMethod' -Name 'Drop' -Value {
+                        $script:mockMethodDropCallCount += 1
+                    } -PassThru -Force
+            }
+
+            It 'Should drop the login without attempting to kill any sessions' {
+                Remove-SqlDscLogin -LoginObject $script:mockLoginObjectNoProcesses -KillActiveSessions -Force
+
+                $script:mockMethodDropCallCount | Should -Be 1
+            }
+        }
+    }
 }
diff --git a/tests/Unit/Stubs/SMO.cs b/tests/Unit/Stubs/SMO.cs
@@ -562,6 +562,25 @@ public void KillAllProcesses( string databaseName )
         {
         }
 
+        public void KillProcess( int processId )
+        {
+        }
+
+        public DataTable EnumProcesses( string loginName )
+        {
+            var dataTable = new DataTable();
+            dataTable.Columns.Add("Spid", typeof(int));
+            dataTable.Columns.Add("Login", typeof(string));
+
+            // Return a row with SPID 51 for any login name
+            var row = dataTable.NewRow();
+            row["Spid"] = 51;
+            row["Login"] = loginName;
+            dataTable.Rows.Add(row);
+
+            return dataTable;
+        }
+
         // Property for SQL Agent support
         public Microsoft.SqlServer.Management.Smo.Agent.JobServer JobServer { get; set; }
 
