diff --git a/CHANGELOG.md b/CHANGELOG.md index 784b899ee..f28d1167c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Changed to the new GitHub deploy tasks that is required for the latest version of the Sampler module. +- SqlLogin + - `LoginMustChangePassword`, `LoginPasswordExpirationEnabled` and `LoginPasswordPolicyEnforced` + parameters no longer enforce default values [issue #1669](https://github.com/dsccommunity/SqlServerDsc/issues/1669). + ## [15.1.1] - 2021-02-12 ### Fixed diff --git a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 index e57c7461a..8449b9b5b 100644 --- a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 +++ b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.psm1 @@ -163,15 +163,15 @@ function Set-TargetResource [Parameter()] [System.Boolean] - $LoginMustChangePassword = $true, + $LoginMustChangePassword, [Parameter()] [System.Boolean] - $LoginPasswordExpirationEnabled = $true, + $LoginPasswordExpirationEnabled, [Parameter()] [System.Boolean] - $LoginPasswordPolicyEnforced = $true, + $LoginPasswordPolicyEnforced, [Parameter()] [System.Boolean] @@ -195,15 +195,15 @@ function Set-TargetResource if ( $login.LoginType -eq 'SqlLogin' ) { # There is no way to update 'MustChangePassword' on existing login so must explicitly throw exception to avoid this functionality being assumed - if ( $login.MustChangePassword -ne $LoginMustChangePassword ) + if ( $PSBoundParameters.ContainsKey('LoginMustChangePassword') -and $login.MustChangePassword -ne $LoginMustChangePassword ) { $errorMessage = $script:localizedData.MustChangePasswordCannotBeChanged New-InvalidOperationException -Message $errorMessage } # `PasswordPolicyEnforced and `PasswordExpirationEnabled` must be updated together (if one or both are not in the desired state) - if ( $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced -or - $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled ) + if ( ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $login.PasswordPolicyEnforced -ne $LoginPasswordPolicyEnforced ) -or + ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $login.PasswordExpirationEnabled -ne $LoginPasswordExpirationEnabled ) ) { Write-Verbose -Message ( $script:localizedData.SetPasswordPolicyEnforced -f $LoginPasswordPolicyEnforced, $Name, $ServerName, $InstanceName @@ -212,8 +212,15 @@ function Set-TargetResource $script:localizedData.SetPasswordExpirationEnabled -f $LoginPasswordExpirationEnabled, $Name, $ServerName, $InstanceName ) - $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced - $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled + if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') ) + { + $login.PasswordPolicyEnforced = $LoginPasswordPolicyEnforced + } + + if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') ) + { + $login.PasswordExpirationEnabled = $LoginPasswordExpirationEnabled + } Update-SQLServerLogin -Login $login } @@ -421,15 +428,15 @@ function Test-TargetResource [Parameter()] [System.Boolean] - $LoginMustChangePassword = $true, + $LoginMustChangePassword, [Parameter()] [System.Boolean] - $LoginPasswordExpirationEnabled = $true, + $LoginPasswordExpirationEnabled, [Parameter()] [System.Boolean] - $LoginPasswordPolicyEnforced = $true, + $LoginPasswordPolicyEnforced, [Parameter()] [System.Boolean] @@ -504,7 +511,7 @@ function Test-TargetResource if ( $LoginType -eq 'SqlLogin' ) { - if ( $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled ) + if ( $PSBoundParameters.ContainsKey('LoginPasswordExpirationEnabled') -and $LoginPasswordExpirationEnabled -ne $loginInfo.LoginPasswordExpirationEnabled ) { if ($LoginPasswordExpirationEnabled) { @@ -522,7 +529,7 @@ function Test-TargetResource $testPassed = $false } - if ( $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced ) + if ( $PSBoundParameters.ContainsKey('LoginPasswordPolicyEnforced') -and $LoginPasswordPolicyEnforced -ne $loginInfo.LoginPasswordPolicyEnforced ) { if ($LoginPasswordPolicyEnforced) { diff --git a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof index 5ed542970..8f3c01e23 100644 --- a/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof +++ b/source/DSCResources/DSC_SqlLogin/DSC_SqlLogin.schema.mof @@ -9,9 +9,9 @@ class DSC_SqlLogin : OMI_BaseResource Values{"WindowsUser","WindowsGroup","SqlLogin","Certificate","AsymmetricKey","ExternalUser","ExternalGroup"}] String LoginType; [Write, Description("The hostname of the _SQL Server_ to be configured. Default value is the current computer name.")] String ServerName; [Write, EmbeddedInstance("MSFT_Credential"), Description("Specifies the password as a `[PSCredential]` object. Only applies to _SQL Logins_.")] String LoginCredential; - [Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. Default value is `$true`. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword; - [Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordExpirationEnabled; - [Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_. Default value is `$true`.")] Boolean LoginPasswordPolicyEnforced; + [Write, Description("Specifies if the login is required to have its password change on the next login. Only applies to _SQL Logins_. This cannot be updated on a pre-existing _SQL Login_ and any attempt to do this will throw an exception.")] Boolean LoginMustChangePassword; + [Write, Description("Specifies if the login password is required to expire in accordance to the operating system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordExpirationEnabled; + [Write, Description("Specifies if the login password is required to conform to the password policy specified in the system security policy. Only applies to _SQL Logins_.")] Boolean LoginPasswordPolicyEnforced; [Write, Description("Specifies if the login is disabled. Default value is `$false`.")] Boolean Disabled; [Write, Description("Specifies the default database name.")] String DefaultDatabase; };