From 249b0bba10e6b3d2b175f81db91a773cc9042f48 Mon Sep 17 00:00:00 2001 From: Marko Bozikovic Date: Wed, 10 Mar 2021 19:13:48 +0100 Subject: [PATCH] [#1669] SqlLogin: LoginMustChangePassword, LoginPasswordExpirationEnabled and LoginPasswordPolicyEnforced parameters no longer enforce default values --- CHANGELOG.md | 4 ++- .../DSC_SqlLogin/DSC_SqlLogin.psm1 | 33 +++++++++++-------- .../DSC_SqlLogin/DSC_SqlLogin.schema.mof | 6 ++-- 3 files changed, 26 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ba3a7fe8..a149bbc0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 `Microsoft.AnalysisServices.Server` object. The new functionality is used when the parameter `FeatureFlag` is set to `'AnalysisServicesConnection'`. This functionality will be the default in a future breaking release. +- SqlLogin + - `LoginMustChangePassword`, `LoginPasswordExpirationEnabled` and `LoginPasswordPolicyEnforced` + parameters no longer enforce default values [issue #1669](https://github.com/dsccommunity/SqlServerDsc/issues/1669). ### Added @@ -51,7 +54,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - SqlSetup - Fixed integration tests for SQL Server 2016 and SQL Server 2017. - ## [15.1.1] - 2021-02-12 ### Fixed diff --git a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 index e57c7461a..8449b9b5b 100644 --- a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 +++ b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 @@ -163,15 +163,15 @@ function Set-TargetResource [Parameter()] [System.Boolean] - $LoginMustChangePassword = $true, + $LoginMustChangePassword, [Parameter()] [System.Boolean] - $LoginPasswordExpirationEnabled = $true, + $LoginPasswordExpirationEnabled, [Parameter()] [System.Boolean] - $LoginPasswordPolicyEnforced = $true, + $LoginPasswordPolicyEnforced, [Parameter()] [System.Boolean] @@ -195,15 +195,15 @@ function Set-TargetResource if ( $login.LoginType -eq 'SqlLogin' ) { # There is no way to update 'MustChangePassword' on existing login so must explicitly throw exception to avoid this functionality being assumed - if ( $login.MustChangePassword -ne $LoginMustChangePassword ) + if ( $PSBoundParameters.ContainsKey('LoginMustChangePassword') -and $login.MustChangePassword -ne $LoginMustChangePassword ) { $errorMessage = $script:localizedData.MustChangePasswordCannotBeChanged New-InvalidOperationException -Message $errorMessage } # `PasswordPolicyEnforced and `PasswordExpirationEnabled` must be updated together (if one or both are not in the desired state) - if ( $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced -or - $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled ) + if ( ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced ) -or + ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled ) ) { Write-Verbose -Message ( $script:localizedData.SetPasswordPolicyEnforced -f $LoginPasswordPolicyEnforced, $Name, $ServerName, $InstanceName @@ -212,8 +212,15 @@ function Set-TargetResource $script:localizedData.SetPasswordExpirationEnabled -f $LoginPasswordExpirationEnabled, $Name, $ServerName, $InstanceName ) - $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced - $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled + if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') ) + { + $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced + } + + if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') ) + { + $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled + } Update-SQLServerLogin -Login $login } @@ -421,15 +428,15 @@ function Test-TargetResource [Parameter()] [System.Boolean] - $LoginMustChangePassword = $true, + $LoginMustChangePassword, [Parameter()] [System.Boolean] - $LoginPasswordExpirationEnabled = $true, + $LoginPasswordExpirationEnabled, [Parameter()] [System.Boolean] - $LoginPasswordPolicyEnforced = $true, + $LoginPasswordPolicyEnforced, [Parameter()] [System.Boolean] @@ -504,7 +511,7 @@ function Test-TargetResource if ( $LoginType -eq 'SqlLogin' ) { - if ( $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled ) + if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled ) { if ($LoginPasswordExpirationEnabled) { @@ -522,7 +529,7 @@ function Test-TargetResource $testPassed = $false } - if ( $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced ) + if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced ) { if ($LoginPasswordPolicyEnforced) { diff --git a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof index 5ed542970..8f3c01e23 100644 --- a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof +++ b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof @@ -9,9 +9,9 @@ class DSC_SqlLogin : OMI_BaseResource Values{"WindowsUser","WindowsGroup","SqlLogin","Certificate","AsymmetricKey","ExternalUser","ExternalGroup"}] String LoginType; [Write, Description("The hostname of the _SQL Server_ to be configured. Default value is the current computer name.")] String ServerName; [Write, EmbeddedInstance("MSFT_Credential"), Description("Specifies the password as a `[PSCredential]` object. Only applies to _SQL Logins_.")] String LoginCredential; - [Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. Default value is `$true`. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword; - [Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordExpirationEnabled; - [Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordPolicyEnforced; + [Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword; + [Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordExpirationEnabled; + [Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordPolicyEnforced; [Write, Description("Specifies if the login is disabled. Default value is `$false`.")] Boolean Disabled; [Write, Description("Specifies the default database name.")] String DefaultDatabase; };