An account password policy manages password settings at the Windows host level. ApsaraDB RDS for SQL Server allows you to configure account password policies through the console or API to manage password validity periods precisely and enhance security. By default, user account passwords never expire. You can configure a password policy and manually apply it to user accounts. Host account passwords are valid for only 42 days by default. Password expiration will cause logon failures. We recommend that you configure a password policy in advance. The policy will be automatically applied to host accounts without manual configuration.
Prerequisites
The RDS instance meets the following requirements:
The RDS instance uses a general-purpose or dedicated instance type. Shared instance types are not supported. For more information, see Instance families.
The RDS instance uses the subscription or pay-as-you-go billing method. Serverless RDS instances are not supported. For more information, see Serverless ApsaraDB RDS for SQL Server instances.
The RDS instance does not run SQL Server 2008 R2.
Usage notes
When you create an account and apply the password policy that you configured for the account, the password cannot contain the username of the account. For example, if the username is Test240903, you cannot set the password to Test240903abc.
Step 1: Configure a password policy
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane of the page that appears, click Accounts.
On the page that appears, click Account Password Policy. In the dialog box that appears, configure the parameters, select a policy, and then click OK.
You can configure one or both of the Maximum password age usage time and Minimum password usage time parameters.
Parameter
Description
Valid value (Unit: days)
Maximum password usage time
The period of time that a password can be used before the password must be changed.
0 to 999
Minimum password usage time
The period of time that a password must be used before the password can be changed.
NoteThe value of this parameter cannot be greater than the value of the Maximum password usage time parameter.
0 to 998
Example 1: Configure only the maximum password age
If you want the maximum password age to be 60 days, after which the password will expire and need to be changed promptly, you can set the Maximum Password Usage Time parameter to 60 days.
Example 2: Configure only the minimum password age
If you want the minimum password age to be 30 days, during which the password cannot be changed, you can set the Minimum Password Usage Time parameter to 30 days.
Example 3: Configure both the maximum and minimum password age
If you want to reset a password every 90 days and use a password for at least 30 days after password change, you can set the Maximum Password Usage Time parameter to 90 days and the Minimum Password Usage Time parameter to 30 days.
Step 2: Apply the password policy to user accounts
For user accounts, you need to manually apply the password policy. The password policy is automatically applied to host accounts without manual configuration.
Apply the password policy when creating a user account
On the page, apply the password policy when you create a privileged account or a standard account or create a system admin account.
Apply the password policy to existing user accounts
On the page, apply the password policy to existing accounts.
Related operations
You can call an API operation to configure a password policy for an account of an ApsaraDB RDS for SQL Server instance. For more information, see ModifyAccountSecurityPolicy.
You can call an API operation to modify the password policy for an account of an ApsaraDB RDS for SQL Server instance. For more information, see ModifyAccountCheckPolicy.
You can call an API operation to create an account for an ApsaraDB RDS for SQL Server instance and apply a password policy to the account. For more information, see CreateAccount.