-
Notifications
You must be signed in to change notification settings - Fork 226
SqlLogin
dscbot edited this page Feb 19, 2026
·
16 revisions
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| InstanceName | Key | String | Name of the SQL Server instance to be configured. | |
| Name | Key | String | The name of the login. | |
| DefaultDatabase | Write | String | Specifies the default database name. | |
| Disabled | Write | Boolean | Specifies if the login is disabled. Default value is $false. |
|
| Ensure | Write | String | The specified login should be 'Present' or 'Absent'. Default is 'Present'. |
Present, Absent
|
| Language | Write | String | Specifies the default language. | |
| LoginCredential | Write | PSCredential | Specifies the password as a [PSCredential] object. Only applies to SQL Logins. |
|
| LoginMustChangePassword | Write | Boolean | Specifies if the login is required to have its password change on the next login. Only applies to SQL Logins. This cannot be updated on a pre-existing SQL Login and any attempt to do this will throw an exception. | |
| LoginPasswordExpirationEnabled | Write | Boolean | Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to SQL Logins. | |
| LoginPasswordPolicyEnforced | Write | Boolean | Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to SQL Logins. | |
| LoginType | Write | String | The type of login to be created. If LoginType is 'WindowsUser' or 'WindowsGroup' then provide the name in the format DOMAIN\name. Default is 'WindowsUser'. The login types 'Certificate', 'AsymmetricKey', 'ExternalUser', and 'ExternalGroup' are not yet implemented and will currently throw an exception if used. |
WindowsUser, WindowsGroup, SqlLogin, Certificate, AsymmetricKey, ExternalUser, ExternalGroup
|
| ServerName | Write | String | The hostname of the SQL Server to be configured. Default value is the current computer name. | |
| Sid | Write | String | Specifies the security identifier (SID) for the login. Only applies to SQL Logins. The value should be a hexadecimal string (e.g. '0x1234...'). |
The SqlLogin DSC resource manages SQL Server logins
for a SQL Server instance.
- Target machine must be running Windows Server 2012 or later.
- Target machine must be running SQL Server Database Engine 2012 or later.
- When the
LoginTypeof'SqlLogin'is used, then the login authentication mode must have been set toMixedorNormal. If set toIntegratedand error will be thrown. - The
LoginMustChangePasswordparameter is only valid on aSqlLoginwhere theLoginTypeparameter is set to'SqlLogin'. - The
LoginMustChangePasswordparameter can not be used to change this setting on a pre-existingSqlLogin- This parameter can only be used when creating a newSqlLoginand where subsequent updates will not be applied or, alternatively, when the desired state will not change (for example, whereLoginMustChangePasswordis initially set to$falseand will always be set to$false). - The
LoginPasswordPolicyEnforcedparameter cannot be set to$falseif the parameterLoginPasswordExpirationEnabledis set to$true, or if the propertyPasswordExpirationEnabledof the login has already been set to$trueby other means. It will result in the error "The CHECK_EXPIRATION option cannot be used when CHECK_POLICY is OFF". If the parameterLoginPasswordPolicyEnforcedis set to to$falsethenLoginPasswordExpirationEnabledmust also be set to$false.
All issues are not listed here, see here for all open issues.
This example shows how to ensure that the SQL logins 'SqlLogin' and 'SqlLogin2' exist, where 'SqlLogin2' is created with an explicit SID.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[System.Management.Automation.PSCredential]
$SqlAdministratorCredential,
[Parameter(Mandatory = $true)]
[System.Management.Automation.PSCredential]
$LoginCredential
)
Import-DscResource -ModuleName 'SqlServerDsc'
node localhost
{
SqlLogin 'Add_SqlLogin'
{
Ensure = 'Present'
Name = 'SqlLogin'
LoginType = 'SqlLogin'
ServerName = 'TestServer.company.local'
InstanceName = 'DSC'
LoginCredential = $LoginCredential
LoginMustChangePassword = $false
LoginPasswordExpirationEnabled = $true
LoginPasswordPolicyEnforced = $true
PsDscRunAsCredential = $SqlAdministratorCredential
}
SqlLogin 'Add_SqlLogin_Set_Login_Sid'
{
Ensure = 'Present'
Name = 'SqlLogin2'
LoginType = 'SqlLogin'
ServerName = 'TestServer.company.local'
InstanceName = 'DSC'
LoginCredential = $LoginCredential
LoginMustChangePassword = $false
LoginPasswordExpirationEnabled = $true
LoginPasswordPolicyEnforced = $true
PsDscRunAsCredential = $SqlAdministratorCredential
Sid = '0x5283175DBF354E508FB7582940E87500'
}
}
}This example shows how to ensure that the Windows user 'CONTOSO\WindowsUser', 'CONTOSO\WindowsUser2', 'CONTOSO\WindowsUser3', and Windows group 'CONTOSO\WindowsGroup' exists.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[System.Management.Automation.PSCredential]
$SqlAdministratorCredential
)
Import-DscResource -ModuleName 'SqlServerDsc'
node localhost
{
SqlLogin 'Add_WindowsUser'
{
Ensure = 'Present'
Name = 'CONTOSO\WindowsUser'
LoginType = 'WindowsUser'
ServerName = 'TestServer.company.local'
InstanceName = 'DSC'
PsDscRunAsCredential = $SqlAdministratorCredential
}
SqlLogin 'Add_DisabledWindowsUser'
{
Ensure = 'Present'
Name = 'CONTOSO\WindowsUser2'
LoginType = 'WindowsUser'
ServerName = 'TestServer.company.local'
InstanceName = 'DSC'
PsDscRunAsCredential = $SqlAdministratorCredential
Disabled = $true
}
SqlLogin 'Add_WindowsUser_Set_Default_Database'
{
Ensure = 'Present'
Name = 'CONTOSO\WindowsUser3'
LoginType = 'WindowsUser'
ServerName = 'TestServer.company.local'
InstanceName = 'DSC'
DefaultDatabase = 'contoso'
PsDscRunAsCredential = $SqlAdministratorCredential
}
SqlLogin 'Add_WindowsGroup'
{
Ensure = 'Present'
Name = 'CONTOSO\WindowsGroup'
LoginType = 'WindowsGroup'
ServerName = 'TestServer.company.local'
InstanceName = 'DSC'
PsDscRunAsCredential = $SqlAdministratorCredential
}
}
}This example shows how to remove the Windows user 'CONTOSO\WindowsUser', Windows group 'CONTOSO\WindowsGroup', and the SQL Login 'SqlLogin'.
Configuration Example
{
Import-DscResource -ModuleName 'SqlServerDsc'
node localhost
{
SqlLogin 'Remove_WindowsUser'
{
Ensure = 'Absent'
Name = 'CONTOSO\WindowsUser'
LoginType = 'WindowsUser'
ServerName = 'TestServer.company.local'
InstanceName = 'DSC'
}
SqlLogin 'Remove_WindowsGroup'
{
Ensure = 'Absent'
Name = 'CONTOSO\WindowsGroup'
LoginType = 'WindowsGroup'
ServerName = 'TestServer.company.local'
InstanceName = 'DSC'
}
SqlLogin 'Remove_SqlLogin'
{
Ensure = 'Absent'
Name = 'SqlLogin'
LoginType = 'SqlLogin'
ServerName = 'TestServer.company.local'
InstanceName = 'DSC'
}
}
}- Add-SqlDscFileGroup
- Add-SqlDscNode
- Add-SqlDscRSSslCertificateBinding
- Add-SqlDscRSUrlReservation
- Add-SqlDscTraceFlag
- Assert-SqlDscAgentOperator
- Assert-SqlDscLogin
- Backup-SqlDscDatabase
- Backup-SqlDscRSEncryptionKey
- Complete-SqlDscFailoverCluster
- Complete-SqlDscImage
- Connect-SqlDscDatabaseEngine
- ConvertFrom-SqlDscDatabasePermission
- ConvertFrom-SqlDscServerPermission
- ConvertTo-SqlDscDatabasePermission
- ConvertTo-SqlDscDataFile
- ConvertTo-SqlDscEditionName
- ConvertTo-SqlDscFileGroup
- ConvertTo-SqlDscServerPermission
- Deny-SqlDscServerPermission
- Disable-SqlDscAgentOperator
- Disable-SqlDscAudit
- Disable-SqlDscDatabaseSnapshotIsolation
- Disable-SqlDscLogin
- Disable-SqlDscRsSecureConnection
- Disconnect-SqlDscDatabaseEngine
- Enable-SqlDscAgentOperator
- Enable-SqlDscAudit
- Enable-SqlDscDatabaseSnapshotIsolation
- Enable-SqlDscLogin
- Enable-SqlDscRsSecureConnection
- Get-SqlDscAgentAlert
- Get-SqlDscAgentOperator
- Get-SqlDscAudit
- Get-SqlDscBackupFileList
- Get-SqlDscCompatibilityLevel
- Get-SqlDscConfigurationOption
- Get-SqlDscDatabase
- Get-SqlDscDatabasePermission
- Get-SqlDscDateTime
- Get-SqlDscInstalledInstance
- Get-SqlDscLogin
- Get-SqlDscManagedComputer
- Get-SqlDscManagedComputerInstance
- Get-SqlDscManagedComputerService
- Get-SqlDscPreferredModule
- Get-SqlDscRole
- Get-SqlDscRSConfigFile
- Get-SqlDscRSConfiguration
- Get-SqlDscRSDatabaseInstallation
- Get-SqlDscRSExecutionLog
- Get-SqlDscRSIPAddress
- Get-SqlDscRSLogPath
- Get-SqlDscRSPackage
- Get-SqlDscRSServiceAccount
- Get-SqlDscRSSetupConfiguration
- Get-SqlDscRSSslCertificate
- Get-SqlDscRSSslCertificateBinding
- Get-SqlDscRSUrl
- Get-SqlDscRSUrlReservation
- Get-SqlDscRSVersion
- Get-SqlDscRSWebPortalApplicationName
- Get-SqlDscServerPermission
- Get-SqlDscServerProtocol
- Get-SqlDscServerProtocolName
- Get-SqlDscServerProtocolTcpIp
- Get-SqlDscSetupLog
- Get-SqlDscStartupParameter
- Get-SqlDscTraceFlag
- Grant-SqlDscServerPermission
- Import-SqlDscPreferredModule
- Initialize-SqlDscFailoverCluster
- Initialize-SqlDscImage
- Initialize-SqlDscRebuildDatabase
- Initialize-SqlDscRS
- Install-SqlDscFailoverCluster
- Install-SqlDscPowerBIReportServer
- Install-SqlDscReportingService
- Install-SqlDscServer
- Invoke-SqlDscQuery
- Invoke-SqlDscScalarQuery
- New-SqlDscAgentAlert
- New-SqlDscAgentOperator
- New-SqlDscAudit
- New-SqlDscDatabase
- New-SqlDscDatabaseSnapshot
- New-SqlDscDataFile
- New-SqlDscFileGroup
- New-SqlDscLogin
- New-SqlDscRole
- New-SqlDscRSEncryptionKey
- Remove-SqlDscAgentAlert
- Remove-SqlDscAgentOperator
- Remove-SqlDscAudit
- Remove-SqlDscDatabase
- Remove-SqlDscLogin
- Remove-SqlDscNode
- Remove-SqlDscRole
- Remove-SqlDscRSEncryptedInformation
- Remove-SqlDscRSEncryptionKey
- Remove-SqlDscRSSslCertificateBinding
- Remove-SqlDscRSUnattendedExecutionAccount
- Remove-SqlDscRSUrlReservation
- Remove-SqlDscTraceFlag
- Repair-SqlDscPowerBIReportServer
- Repair-SqlDscReportingService
- Repair-SqlDscServer
- Request-SqlDscRSDatabaseRightsScript
- Request-SqlDscRSDatabaseScript
- Request-SqlDscRSDatabaseUpgradeScript
- Restart-SqlDscRSService
- Restore-SqlDscDatabase
- Restore-SqlDscRSEncryptionKey
- Resume-SqlDscDatabase
- Revoke-SqlDscServerPermission
- Save-SqlDscSqlServerMediaFile
- Set-SqlDscAgentAlert
- Set-SqlDscAgentOperator
- Set-SqlDscAudit
- Set-SqlDscConfigurationOption
- Set-SqlDscDatabaseDefault
- Set-SqlDscDatabaseOwner
- Set-SqlDscDatabasePermission
- Set-SqlDscDatabaseProperty
- Set-SqlDscRSDatabaseConnection
- Set-SqlDscRSDatabaseTimeout
- Set-SqlDscRSServiceAccount
- Set-SqlDscRSSmtpConfiguration
- Set-SqlDscRSSslCertificateBinding
- Set-SqlDscRSUnattendedExecutionAccount
- Set-SqlDscRSUrlReservation
- Set-SqlDscRSVirtualDirectory
- Set-SqlDscServerPermission
- Set-SqlDscStartupParameter
- Set-SqlDscTraceFlag
- Start-SqlDscRSWebService
- Start-SqlDscRSWindowsService
- Stop-SqlDscRSWebService
- Stop-SqlDscRSWindowsService
- Suspend-SqlDscDatabase
- Test-SqlDscAgentAlertProperty
- Test-SqlDscBackupFile
- Test-SqlDscConfigurationOption
- Test-SqlDscDatabaseProperty
- Test-SqlDscIsAgentAlert
- Test-SqlDscIsAgentOperator
- Test-SqlDscIsDatabase
- Test-SqlDscIsDatabasePrincipal
- Test-SqlDscIsLogin
- Test-SqlDscIsLoginEnabled
- Test-SqlDscIsRole
- Test-SqlDscIsSupportedFeature
- Test-SqlDscRSAccessible
- Test-SqlDscRSInitialized
- Test-SqlDscRSInstalled
- Test-SqlDscServerPermission
- Uninstall-SqlDscPowerBIReportServer
- Uninstall-SqlDscReportingService
- Uninstall-SqlDscServer
- Update-SqlDscServer
- Update-SqlDscServerEdition
- Change Report Server Service Account
- Deploy Power BI Report Server
- Setting up a SQL Server AlwaysOn Availability Groups
- Setting up a SQL Server Failover Cluster
- Troubleshooting Report Server
- SqlAG
- SqlAGDatabase
- SqlAgentAlert
- SqlAgentFailsafe
- SqlAgentOperator
- SqlAGListener
- SqlAGReplica
- SqlAlias
- SqlAlwaysOnService
- SqlAudit
- SqlConfiguration
- SqlDatabase
- SqlDatabaseDefaultLocation
- SqlDatabaseMail
- SqlDatabaseObjectPermission
- SqlDatabasePermission
- SqlDatabaseRole
- SqlDatabaseUser
- SqlEndpoint
- SqlEndpointPermission
- SqlLogin
- SqlMaxDop
- SqlMemory
- SqlPermission
- SqlProtocol
- SqlProtocolTcpIp
- SqlReplication
- SqlRole
- SqlRS
- SqlRSSetup
- SqlScript
- SqlScriptQuery
- SqlSecureConnection
- SqlServiceAccount
- SqlSetup
- SqlTraceFlag
- SqlWaitForAG
- SqlWindowsFirewall