LOGINPROPERTY – Getting to know your SQL Logins even more
Introduction
Yesterday we discovered the sys.sql_logins catalog view and saw that it returns additional information on SQL Logins that is not included in the sys.server_principals catalog view.
However, there is more information on SQL Logins available than that catalog view reveals. To get to that additional information, you can use the LOGINPROPERTY catalog function.
LOGINPROPERTY Example
For today's examples, we are going to use the same login we created yesterday:
[/sql]
The LOGINPROPERTY catalog function takes two parameters. The first one, login_name is the name of the SQL Login you want to check the properties on. The second one is the property_name and it specifies which property you are after.
Let us look at an example:
LOGINPROPERTY('ASqlLogin','IsLocked') AS IsLocked;
[/sql]
Those two properties let us know how many login attempts for this SQL Login have been recorded and if the account has been locked because of it. An example output is shown below:
There are in total thirteen properties that you can check with this catalog function. To make using that function a little easier, I created a table valued function that returns all properties for a given SQL Login name:
GO
CREATE FUNCTION dbo.login_properties(@login_name NVARCHAR(MAX))
RETURNS TABLE
AS
RETURN SELECT
LOGINPROPERTY(@login_name,'BadPasswordCount') AS [BadPasswordCount],
LOGINPROPERTY(@login_name,'BadPasswordTime') AS [BadPasswordTime],
LOGINPROPERTY(@login_name,'DaysUntilExpiration') AS [DaysUntilExpiration],
LOGINPROPERTY(@login_name,'DefaultDatabase') AS [DefaultDatabase],
LOGINPROPERTY(@login_name,'DefaultLanguage') AS [DefaultLanguage],
LOGINPROPERTY(@login_name,'HistoryLength') AS [HistoryLength],
LOGINPROPERTY(@login_name,'IsExpired') AS [IsExpired],
LOGINPROPERTY(@login_name,'IsLocked') AS [IsLocked],
LOGINPROPERTY(@login_name,'IsMustChange') AS [IsMustChange],
LOGINPROPERTY(@login_name,'LockoutTime') AS [LockoutTime],
LOGINPROPERTY(@login_name,'PasswordHash') AS [PasswordHash],
LOGINPROPERTY(@login_name,'PasswordLastSetTime') AS [PasswordLastSetTime],
LOGINPROPERTY(@login_name,'PasswordHashAlgorithm') AS [PasswordHashAlgorithm];
[/sql]
I usually place that function in the master database as the logins are stored there too, but it works in other databases too. An explanation for each of the properties you can find in BOL.
You can use the dbo.login_properties function for example by cross applying it to the sys.sql_logins catalog view like this:
FROM sys.sql_logins AS SL
CROSS APPLY dbo.login_properties(SL.name) AS LP;
[/sql]
Summary
The sys.sql_logins catalog view does not return all authentication related properties for a SQL Login. The LOGINPROPERTY catalog function closes that gap by providing an additional twelve properties. This article introduced the dbo.login_properties table valued function that returns all LOGINPROPERTY values for a given SQL Login.
Newsletter Sign Up
One Response to LOGINPROPERTY – Getting to know your SQL Logins even more
Leave a Reply
You must be logged in to post a comment.
We know how to keep a database secure. We’ll do the same for you.
From the sqlity.net blog
-
How to identify the SQL Server Service Account in T-SQL
-
How to Change a SQL Login’s Password
-
Hash Algorithms – How does SQL Server store Passwords?
-
B+Trees – How SQL Server Indexes are Stored on Disk
-
How to Re-Create a Login with only a Hashed Password
-
The Hidden SQL Server Gem: UPDATE from SELECT
-
A Join A Day – Nested Joins
-
Determine the Uptime of a SQL Server Instance
-
A Join A Day – The Left Anti Semi Join
-
Log Reuse Waits Explained: LOG_BACKUP
Pingback: How to Re-Create a Login with only a Hashed Password - sqlity.net