Reset-DbaAdmin


Author	Chrissy LeMaire (@cl), netnerds.net
Availability	Windows, Linux, macOS

Want to see the source code for this command? Check out Reset-DbaAdmin on GitHub.
Want to see the Bill Of Health for this command? Check out Reset-DbaAdmin.

Synopsis

This function allows administrators to regain access to SQL Servers in the event that passwords or access was lost.

Supports SQL Server 2005 and above. Windows administrator access is required.

Description

This function allows administrators to regain access to local or remote SQL Servers by either resetting the sa password, adding the sysadmin role to existing login, or adding a new login (SQL or Windows) and granting it sysadmin privileges.

This is accomplished by stopping the SQL services or SQL Clustered Resource Group, then restarting SQL via the command-line using the /mReset-DbaAdmin parameter which starts the server in Single-User mode and only allows this script to connect.

Once the service is restarted, the following tasks are performed:

Login is added if it doesn't exist
If login is a Windows User, an attempt is made to ensure it exists
If login is a SQL Login, password policy will be set to OFF when creating the login, and SQL Server authentication will be set to Mixed Mode.
Login will be enabled and unlocked
Login will be added to sysadmin role

If failures occur at any point, a best attempt is made to restart the SQL Server.

In order to make this script as portable as possible, Microsoft.Data.SqlClient and Get-WmiObject are used (as opposed to requiring the Failover Cluster Admin tools or SMO).

If using this function against a remote SQL Server, ensure WinRM is configured and accessible. If this is not possible, run the script locally.

Tested on Windows XP, 7, 8.1, Server 2012 and Windows Server Technical Preview 2.
Tested on SQL Server 2005 SP4 through 2016 CTP2.

Syntax

Reset-DbaAdmin
    [-SqlInstance] <DbaInstanceParameter>
    [[-SqlCredential] <PSCredential>]
    [[-Login] <String>]
    [[-SecurePassword] <SecureString>]
    [-Force]
    [-EnableException]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> Reset-DbaAdmin -SqlInstance sqlcluster -SqlCredential sqladmin

Prompts for password, then resets the "sqladmin" account password on sqlcluster.

Example: 2

PS C:\> Reset-DbaAdmin -SqlInstance sqlserver\sqlexpress -Login ad\administrator -Confirm:$false

Adds the domain account "ad\administrator" as a sysadmin to the SQL instance.
If the account already exists, it will be added to the sysadmin role.
Does not prompt for a password since it is not a SQL login. Does not prompt for confirmation since -Confirm is set to $false.

Example: 3

PS C:\> Reset-DbaAdmin -SqlInstance sqlserver\sqlexpress -Login sqladmin -Force

Skips restart confirmation, prompts for password, then adds a SQL Login "sqladmin" with sysadmin privileges.
If the account already exists, it will be added to the sysadmin role and the password will be reset.

Required Parameters

-SqlInstance

The target SQL Server instance or instances. SQL Server must be 2005 and above, and can be a clustered or stand-alone instance.


Alias
Required	True
Pipeline	false
Default Value

Optional Parameters

-SqlCredential

Instead of using Login and SecurePassword, you can just pass in a credential object.


Alias
Required	False
Pipeline	false
Default Value

By default, the Login parameter is "sa" but any other SQL or Windows account can be specified. If a login does not currently exist, it will be added.
When adding a Windows login to remote servers, ensure the SQL Server can add the login (ie, don't add WORKSTATION\Admin to remoteserver\instance. Domain users and Groups are valid input.


Alias
Required	False
Pipeline	false
Default Value	sa

-SecurePassword

By default, if a SQL Login is detected, you will be prompted for a password. Use this to securely bypass the prompt.


Alias
Required	False
Pipeline	false
Default Value

-Force

If this switch is enabled, the Login(s) will be dropped and recreated on Destination. Logins that own Agent jobs cannot be dropped at this time.


Alias
Required	False
Pipeline	false
Default Value	False

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.


Alias
Required	False
Pipeline	false
Default Value	False

-WhatIf

If this switch is enabled, no actions are performed but informational messages will be displayed that explain what would happen if the command were to run.


Alias	wi
Required	False
Pipeline	false
Default Value

-Confirm

If this switch is enabled, you will be prompted for confirmation before executing any operations that change state.


Alias	cf
Required	False
Pipeline	false
Default Value