| Author | Kirill Kravtsov (@nvarscar) |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out New-DbaLogin on GitHub.
Want to see the Bill Of Health for this command? Check out New-DbaLogin.
Creates a new SQL Server login
Creates a new SQL Server login with provided specifications
New-DbaLogin
[-SqlInstance] <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[[-Login] <String[]>]
[-InputObject <Object[]>]
[-LoginRenameHashtable <Hashtable>]
[[-SecurePassword] <SecureString>]
[-MapToCredential <String>]
[-Sid <Object>]
[-DefaultDatabase <String>]
[-Language <String>]
[-PasswordExpirationEnabled]
[-PasswordPolicyEnforced]
[-PasswordMustChange]
[-Disabled]
[-DenyWindowsLogin]
[-NewSid]
[-ExternalProvider]
[-Force]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-DbaLogin
[-SqlInstance] <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Login <String[]>]
[-InputObject <Object[]>]
[-LoginRenameHashtable <Hashtable>]
[-MapToAsymmetricKey <String>]
[-MapToCredential <String>]
[-Sid <Object>]
[-Disabled]
[-DenyWindowsLogin]
[-NewSid]
[-ExternalProvider]
[-Force]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-DbaLogin
[-SqlInstance] <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Login <String[]>]
[-InputObject <Object[]>]
[-LoginRenameHashtable <Hashtable>]
[-MapToCertificate <String>]
[-MapToCredential <String>]
[-Sid <Object>]
[-Disabled]
[-DenyWindowsLogin]
[-NewSid]
[-ExternalProvider]
[-Force]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
New-DbaLogin
[-SqlInstance] <DbaInstanceParameter[]>
[-SqlCredential <PSCredential>]
[-Login <String[]>]
[-InputObject <Object[]>]
[-LoginRenameHashtable <Hashtable>]
[-HashedPassword <String>]
[-MapToCredential <String>]
[-Sid <Object>]
[-DefaultDatabase <String>]
[-Language <String>]
[-PasswordExpirationEnabled]
[-PasswordPolicyEnforced]
[-Disabled]
[-DenyWindowsLogin]
[-NewSid]
[-ExternalProvider]
[-Force]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PS C:\> New-DbaLogin -SqlInstance Server1,Server2 -Login Newlogin
You will be prompted to securely enter the password for a login [Newlogin]. The login would be created on servers Server1 and Server2 with default parameters.
PS C:\> $securePassword = Read-Host "Input password" -AsSecureString
PS C:\> New-DbaLogin -SqlInstance Server1\sql1 -Login Newlogin -SecurePassword $securePassword -PasswordPolicyEnforced -PasswordExpirationEnabled
Creates a login on Server1\sql1 with a predefined password. The login will have password and expiration policies enforced onto it.
PS C:\> Get-DbaLogin -SqlInstance sql1 -Login Oldlogin | New-DbaLogin -SqlInstance sql1 -LoginRenameHashtable @{Oldlogin = 'Newlogin'} -Force -NewSid -Disabled:$false
Copies a login [Oldlogin] to the same instance sql1 with the same parameters (including password). New login will have a new sid, a new name [Newlogin] and will not be disabled. Existing login
[Newlogin] will be removed prior to creation.
PS C:\> Get-DbaLogin -SqlInstance sql1 -Login Login1,Login2 | New-DbaLogin -SqlInstance sql2 -PasswordPolicyEnforced -PasswordExpirationEnabled -DefaultDatabase tempdb -Disabled
Copies logins [Login1] and [Login2] from instance sql1 to instance sql2, but enforces password and expiration policies for the new logins. New logins will also have a default database set to [tempdb]
and will be created in a disabled state.
PS C:\> New-DbaLogin -SqlInstance sql1 -Login domain\user
Creates a new Windows Authentication backed login on sql1. The login will be part of the public server role.
PS C:\> New-DbaLogin -SqlInstance sql1 -Login domain\user1, domain\user2 -DenyWindowsLogin
Creates two new Windows Authentication backed login on sql1. The logins would be denied from logging in.
PS C:\> New-DbaLogin -SqlInstance sql1 -Login "claudio@********.onmicrosoft.com" -ExternalProvider
Creates a new login named 'claudio@********.onmicrosoft.com' mapped to Azure Active Directory (AAD).
The target SQL Server(s)
| Alias | |
| Required | True |
| Pipeline | false |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
The Login name(s)
| Alias | Name,LoginName |
| Required | False |
| Pipeline | false |
| Default Value |
Takes the parameters required from a Login object that has been piped into the command
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
Pass a hash table into this parameter to change login names when piping objects into the procedure
| Alias | Rename |
| Required | False |
| Pipeline | false |
| Default Value |
Secure string used to authenticate the Login
| Alias | Password |
| Required | False |
| Pipeline | false |
| Default Value |
Hashed password string used to authenticate the Login
| Alias | Hash,PasswordHash |
| Required | False |
| Pipeline | false |
| Default Value |
Map the login to a certificate
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Map the login to an asymmetric key
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Map the login to a credential
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Provide an explicit Sid that should be used when creating the account. Can be [byte[]] or hex [string] ('0xFFFF...')
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Default database for the login
| Alias | DefaultDB |
| Required | False |
| Pipeline | false |
| Default Value |
Login's default language
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Enforces password expiration policy. Requires PasswordPolicyEnforced to be enabled. Can be $true or $false(default)
| Alias | Expiration,CheckExpiration |
| Required | False |
| Pipeline | false |
| Default Value | False |
Enforces password complexity policy. Can be $true or $false(default)
| Alias | Policy,CheckPolicy |
| Required | False |
| Pipeline | false |
| Default Value | False |
Enforces user must change password at next login.
When specified will enforce PasswordExpirationEnabled and PasswordPolicyEnforced as they are required for the must change.
| Alias | MustChange |
| Required | False |
| Pipeline | false |
| Default Value | False |
Create the login in a disabled state
| Alias | Disable |
| Required | False |
| Pipeline | false |
| Default Value | False |
Create the login and deny Windows login ability
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Ignore sids from the piped login object to generate new sids on the server. Useful when copying login onto the same server
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Specifies that the login is for Azure AD Authentication.
Equivalent to T-SQL: 'CREATE LOGIN [claudio@********.onmicrosoft.com] FROM EXTERNAL PROVIDER`
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
If login exists, drop and recreate
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Shows what would happen if the command were to run. No actions are actually performed
| Alias | wi |
| Required | False |
| Pipeline | false |
| Default Value |
Prompts you for confirmation before executing any changing operations within the command
| Alias | cf |
| Required | False |
| Pipeline | false |
| Default Value |