According to this SQL Server 2008 whitepaper, SQL Server should only pay attention to the Minimum Password Age policy when the Check_Expiration (Enforce Password Expiration) option is turned on. Page 7 in the whitepaper specifically says "CHECK_EXPIRATION uses the minimum and maximum password age part of the Windows Server 2003 policy, and CHECK_POLICY uses the other policy settings". However, that's not what I'm finding. It looks like you only need Check_Policy (Enforce Password Policy) turned on.
For example, I have a SQL Login (using SQL Server authentication) with Enforce Password Policy turned on, but Enforce Password Expiration turned OFF. My domain's password policy has Minimum Password Age set to 1. I can use sp_password to change the password once, but when I try to change it a second time, I get this error:
Server: Msg 15114, Level 16, State 1, Line 1 Password validation failed. The password for the user is too recent to change.
Is the documentation in this whitepaper simply wrong? Why is this happening when Check_Expiration is off? I also found this site which also says that Minimum Password Age should only be enforced when Check_Expiration is on. I think this is true for MAXIMUM Password Age, but I'm finding that Minimum Password Age is still getting enforced when Check_Expiration is off.
Is there something funky about my configuration? Should Minimum Password Age really be enforced when Check_Expiration is off (but Check_Policy is on)?
Aucun commentaire:
Enregistrer un commentaire