All Products
Search
Document Center

ApsaraDB RDS:Configure a password policy for an account

Last Updated:Jun 20, 2025

An account password policy manages password settings at the Windows host level. ApsaraDB RDS for SQL Server allows you to configure account password policies through the console or API to manage password validity periods precisely and enhance security. By default, user account passwords never expire. You can configure a password policy and manually apply it to user accounts. Host account passwords are valid for only 42 days by default. Password expiration will cause logon failures. We recommend that you configure a password policy in advance. The policy will be automatically applied to host accounts without manual configuration.

Prerequisites

The RDS instance meets the following requirements:

  • The RDS instance uses a general-purpose or dedicated instance type. Shared instance types are not supported. For more information, see Instance families.

  • The RDS instance uses the subscription or pay-as-you-go billing method. Serverless RDS instances are not supported. For more information, see Serverless ApsaraDB RDS for SQL Server instances.

  • The RDS instance does not run SQL Server 2008 R2.

Usage notes

When you create an account and apply the password policy that you configured for the account, the password cannot contain the username of the account. For example, if the username is Test240903, you cannot set the password to Test240903abc.

Step 1: Configure a password policy

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane of the page that appears, click Accounts.

  3. On the page that appears, click Account Password Policy. In the dialog box that appears, configure the parameters, select a policy, and then click OK.

    You can configure one or both of the Maximum password age usage time and Minimum password usage time parameters.

    Parameter

    Description

    Valid value (Unit: days)

    Maximum password usage time

    The period of time that a password can be used before the password must be changed.

    0 to 999

    Minimum password usage time

    The period of time that a password must be used before the password can be changed.

    Note

    The value of this parameter cannot be greater than the value of the Maximum password usage time parameter.

    0 to 998

    Example 1: Configure only the maximum password age

    If you want the maximum password age to be 60 days, after which the password will expire and need to be changed promptly, you can set the Maximum Password Usage Time parameter to 60 days.

    image

    Example 2: Configure only the minimum password age

    If you want the minimum password age to be 30 days, during which the password cannot be changed, you can set the Minimum Password Usage Time parameter to 30 days.

    image

    Example 3: Configure both the maximum and minimum password age

    If you want to reset a password every 90 days and use a password for at least 30 days after password change, you can set the Maximum Password Usage Time parameter to 90 days and the Minimum Password Usage Time parameter to 30 days.

    image

Step 2: Apply the password policy to user accounts

For user accounts, you need to manually apply the password policy. The password policy is automatically applied to host accounts without manual configuration.

Apply the password policy when creating a user account

On the Accounts > User Account page, apply the password policy when you create a privileged account or a standard account or create a system admin account.

image

Apply the password policy to existing user accounts

On the Accounts > User Account page, apply the password policy to existing accounts.

image

Related operations

  • You can call an API operation to configure a password policy for an account of an ApsaraDB RDS for SQL Server instance. For more information, see ModifyAccountSecurityPolicy.

  • You can call an API operation to modify the password policy for an account of an ApsaraDB RDS for SQL Server instance. For more information, see ModifyAccountCheckPolicy.

  • You can call an API operation to create an account for an ApsaraDB RDS for SQL Server instance and apply a password policy to the account. For more information, see CreateAccount.