I play and experiment with SQL Server to the max. Sometimes I am not sure what I did and I land into something undesired. Then the reason to troubleshoot starts and I get to learn something new. Sometimes these learnings are based on error messages that you folks send me. Recently I faced below error while going to properties of an SA account in SQL Server Management Studio.
Here is the text of the error message.
Property IsLocked is not available for Login ‘[sa]’. This property may not exist for this object, or may not be retrievable due to insufficient access rights. (Microsoft.SqlServer.Smo)
It was clear that there is something wrong with SQL Login but interestingly it was NOT happening with all other SQL Login accounts. I have put profiler to find out what is happening in the background causing this error. I nailed it down to the problem that below query is returning NULL instead of 0 or 1.
SELECT LOGINPROPERTY('sa', 'IsLocked');
Now, it was interesting to find why its returning NULL. Here are some possible reasons of such behavior. Later I realized that it’s happening with only those SQL Logins which are having “Enforced Password policy” enabled. Here is the query to check such accounts.
WHERE is_policy_checked = 1
Quick solution for this would be to disable the password policy check for such account using T-SQL below.
ALTER LOGIN [sa] WITH CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
A few things to check if you run into such issue on a regular basis and don’t want to disable password policy.
- Check if SQL Service account (the account running SQL Service in services.msc) is locked out. To verify that try logging in to some machine using service account.
- Check if Password policy validation is failing due to some issue with domain controller connectivity.
If it’s the first issue, then you need to contact the domain administrator to unlock service account. For the second issue, you can check security ring buffers.
SELECT DATEADD(ms, dorf.[timestamp] - dosi.ms_ticks, GETDATE()) AS Date_Time
,CAST(record AS XML).value('(//SPID)', 'bigint') AS SPID
,CAST(record AS XML).value('(//ErrorCode)', 'varchar(255)') AS Error_Code
,CAST(record AS XML).value('(//CallingAPIName)', 'varchar(255)') AS CallingAPIName
,CAST(record AS XML).value('(//APIName)', 'varchar(255)') AS WindowsAPIName
FROM sys.dm_os_ring_buffers dorf
CROSS JOIN sys.dm_os_sys_info dosi
WHERE dorf.ring_buffer_type = 'RING_BUFFER_SECURITY_ERROR'
ORDER BY dorf.TIMESTAMP ASC
In my case it was a first issue, so unlocking account fixed the issue for me. Have you ever faced such an issue? What was the solution which worked for you? Let me know via your comments.
Reference: Pinal Dave (http://blog.sqlauthority.com)