< Back
New-DbaLogin
Post
NAME New-DbaLogin
SYNOPSIS
Creates a new SQL Server login
SYNTAX
New-DbaLogin [-SqlInstance] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]> [-SqlCredential
<Pscredential>] [[-Login] <System.String[]>] [-InputObject <System.Object[]>] [-LoginRenameHashtable <Hashtable>]
[[-SecurePassword] <Securestring>] [-MapToCredential <String>] [-Sid <System.Object>] [-DefaultDatabase <String>]
[-Language <String>] [-PasswordExpirationEnabled <Switch>] [-PasswordPolicyEnforced <Switch>] [-Disabled <Switch>]
[-NewSid <Switch>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
New-DbaLogin [-SqlInstance] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]> [-SqlCredential
<Pscredential>] [-Login <System.String[]>] [-InputObject <System.Object[]>] [-LoginRenameHashtable <Hashtable>]
[-MapToAsymmetricKey <String>] [-MapToCredential <String>] [-Sid <System.Object>] [-Disabled <Switch>] [-NewSid
<Switch>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
New-DbaLogin [-SqlInstance] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]> [-SqlCredential
<Pscredential>] [-Login <System.String[]>] [-InputObject <System.Object[]>] [-LoginRenameHashtable <Hashtable>]
[-MapToCertificate <String>] [-MapToCredential <String>] [-Sid <System.Object>] [-Disabled <Switch>] [-NewSid
<Switch>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
New-DbaLogin [-SqlInstance] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]> [-SqlCredential
<Pscredential>] [-Login <System.String[]>] [-InputObject <System.Object[]>] [-LoginRenameHashtable <Hashtable>]
[-HashedPassword <String>] [-MapToCredential <String>] [-Sid <System.Object>] [-DefaultDatabase <String>]
[-Language <String>] [-PasswordExpirationEnabled <Switch>] [-PasswordPolicyEnforced <Switch>] [-Disabled <Switch>]
[-NewSid <Switch>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
DESCRIPTION
Creates a new SQL Server login with provided specifications
PARAMETERS
-DefaultDatabase [<String>]
Default database for the login
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Disabled [<Switch>]
Create the login in a disabled state
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-EnableException [<Switch>]
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables
advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own
try/catch.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Force [<Switch>]
If login exists, drop and recreate
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-HashedPassword [<String>]
Hashed password string used to authenticate the Login
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-InputObject [<System.Object[]>]
Takes the parameters required from a Login object that has been piped into the command
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Language [<String>]
Login's default language
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Login [<System.String[]>]
The Login name(s)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-LoginRenameHashtable [<Hashtable>]
Pass a hash table into this parameter to change login names when piping objects into the procedure
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-MapToAsymmetricKey [<String>]
Map the login to an asymmetric key
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-MapToCertificate [<String>]
Map the login to a certificate
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-MapToCredential [<String>]
Map the login to a credential
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-NewSid [<Switch>]
Ignore sids from the piped login object to generate new sids on the server. Useful when copying login onto the
same server
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-PasswordExpirationEnabled [<Switch>]
Enforces password expiration policy. Requires PasswordPolicyEnforced to be enabled. Can be $true or
$false(default)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-PasswordPolicyEnforced [<Switch>]
Enforces password complexity policy. Can be $true or $false(default)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SecurePassword [<Securestring>]
Secure string used to authenticate the Login
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Sid [<System.Object>]
Provide an explicit Sid that should be used when creating the account. Can be [byte[]] or hex [string]
('0xFFFF...')
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SqlCredential [<Pscredential>]
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory -
Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SqlInstance [<Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]>]
The target SQL Server(s)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Tags: Login, Security
Author: Kirill Kravtsov (@nvarscar)
Website: https://dbatools.io
Copyright: (c) 2018 by dbatools, licensed under MIT
License: MIT https://opensource.org/licenses/MIT
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-DbaLogin -SqlInstance Server1,Server2 -Login Newlogin
You will be prompted to securely enter the password for a login [Newlogin]. The login would be created on servers
Server1 and Server2 with default parameters.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>$securePassword = Read-Host "Input password" -AsSecureString
PS C:\\> New-DbaLogin -SqlInstance Server1\\sql1 -Login Newlogin -SecurePassword $securePassword
-PasswordPolicyEnforced -PasswordExpirationEnabled
Creates a login on Server1\\sql1 with a predefined password. The login will have password and expiration policies
enforced onto it.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Get-DbaLogin -SqlInstance sql1 -Login Oldlogin | New-DbaLogin -SqlInstance sql1 -LoginRenameHashtable
@{Oldlogin = 'Newlogin'} -Force -NewSid -Disabled:$false
Copies a login [Oldlogin] to the same instance sql1 with the same parameters (including password). New login will
have a new sid, a new name [Newlogin] and will not be disabled. Existing login [Newlogin] will be removed prior to
creation.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>Get-DbaLogin -SqlInstance sql1 -Login Login1,Login2 | New-DbaLogin -SqlInstance sql2
-PasswordPolicyEnforced -PasswordExpirationEnabled -DefaultDatabase tempdb -Disabled
Copies logins [Login1] and [Login2] from instance sql1 to instance sql2, but enforces password and expiration
policies for the new logins. New logins will also have a default database set to [tempdb] and will be created in a
disabled state.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>New-DbaLogin -SqlInstance sql1 -Login domain\\user
Creates a new Windows Authentication backed login on sql1. The login will be part of the public server role.
RELATED LINKS
https://dbatools.io/New-DbaLogin
SYNOPSIS
Creates a new SQL Server login
SYNTAX
New-DbaLogin [-SqlInstance] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]> [-SqlCredential
<Pscredential>] [[-Login] <System.String[]>] [-InputObject <System.Object[]>] [-LoginRenameHashtable <Hashtable>]
[[-SecurePassword] <Securestring>] [-MapToCredential <String>] [-Sid <System.Object>] [-DefaultDatabase <String>]
[-Language <String>] [-PasswordExpirationEnabled <Switch>] [-PasswordPolicyEnforced <Switch>] [-Disabled <Switch>]
[-NewSid <Switch>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
New-DbaLogin [-SqlInstance] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]> [-SqlCredential
<Pscredential>] [-Login <System.String[]>] [-InputObject <System.Object[]>] [-LoginRenameHashtable <Hashtable>]
[-MapToAsymmetricKey <String>] [-MapToCredential <String>] [-Sid <System.Object>] [-Disabled <Switch>] [-NewSid
<Switch>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
New-DbaLogin [-SqlInstance] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]> [-SqlCredential
<Pscredential>] [-Login <System.String[]>] [-InputObject <System.Object[]>] [-LoginRenameHashtable <Hashtable>]
[-MapToCertificate <String>] [-MapToCredential <String>] [-Sid <System.Object>] [-Disabled <Switch>] [-NewSid
<Switch>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
New-DbaLogin [-SqlInstance] <Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]> [-SqlCredential
<Pscredential>] [-Login <System.String[]>] [-InputObject <System.Object[]>] [-LoginRenameHashtable <Hashtable>]
[-HashedPassword <String>] [-MapToCredential <String>] [-Sid <System.Object>] [-DefaultDatabase <String>]
[-Language <String>] [-PasswordExpirationEnabled <Switch>] [-PasswordPolicyEnforced <Switch>] [-Disabled <Switch>]
[-NewSid <Switch>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
DESCRIPTION
Creates a new SQL Server login with provided specifications
PARAMETERS
-DefaultDatabase [<String>]
Default database for the login
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Disabled [<Switch>]
Create the login in a disabled state
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-EnableException [<Switch>]
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables
advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own
try/catch.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Force [<Switch>]
If login exists, drop and recreate
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-HashedPassword [<String>]
Hashed password string used to authenticate the Login
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-InputObject [<System.Object[]>]
Takes the parameters required from a Login object that has been piped into the command
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Language [<String>]
Login's default language
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Login [<System.String[]>]
The Login name(s)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-LoginRenameHashtable [<Hashtable>]
Pass a hash table into this parameter to change login names when piping objects into the procedure
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-MapToAsymmetricKey [<String>]
Map the login to an asymmetric key
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-MapToCertificate [<String>]
Map the login to a certificate
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-MapToCredential [<String>]
Map the login to a credential
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-NewSid [<Switch>]
Ignore sids from the piped login object to generate new sids on the server. Useful when copying login onto the
same server
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-PasswordExpirationEnabled [<Switch>]
Enforces password expiration policy. Requires PasswordPolicyEnforced to be enabled. Can be $true or
$false(default)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-PasswordPolicyEnforced [<Switch>]
Enforces password complexity policy. Can be $true or $false(default)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SecurePassword [<Securestring>]
Secure string used to authenticate the Login
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Sid [<System.Object>]
Provide an explicit Sid that should be used when creating the account. Can be [byte[]] or hex [string]
('0xFFFF...')
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SqlCredential [<Pscredential>]
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory -
Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SqlInstance [<Sqlcollaborative.Dbatools.Parameter.DbaInstanceParameter[]>]
The target SQL Server(s)
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Tags: Login, Security
Author: Kirill Kravtsov (@nvarscar)
Website: https://dbatools.io
Copyright: (c) 2018 by dbatools, licensed under MIT
License: MIT https://opensource.org/licenses/MIT
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>New-DbaLogin -SqlInstance Server1,Server2 -Login Newlogin
You will be prompted to securely enter the password for a login [Newlogin]. The login would be created on servers
Server1 and Server2 with default parameters.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>$securePassword = Read-Host "Input password" -AsSecureString
PS C:\\> New-DbaLogin -SqlInstance Server1\\sql1 -Login Newlogin -SecurePassword $securePassword
-PasswordPolicyEnforced -PasswordExpirationEnabled
Creates a login on Server1\\sql1 with a predefined password. The login will have password and expiration policies
enforced onto it.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Get-DbaLogin -SqlInstance sql1 -Login Oldlogin | New-DbaLogin -SqlInstance sql1 -LoginRenameHashtable
@{Oldlogin = 'Newlogin'} -Force -NewSid -Disabled:$false
Copies a login [Oldlogin] to the same instance sql1 with the same parameters (including password). New login will
have a new sid, a new name [Newlogin] and will not be disabled. Existing login [Newlogin] will be removed prior to
creation.
-------------------------- EXAMPLE 4 --------------------------
PS C:\\>Get-DbaLogin -SqlInstance sql1 -Login Login1,Login2 | New-DbaLogin -SqlInstance sql2
-PasswordPolicyEnforced -PasswordExpirationEnabled -DefaultDatabase tempdb -Disabled
Copies logins [Login1] and [Login2] from instance sql1 to instance sql2, but enforces password and expiration
policies for the new logins. New logins will also have a default database set to [tempdb] and will be created in a
disabled state.
-------------------------- EXAMPLE 5 --------------------------
PS C:\\>New-DbaLogin -SqlInstance sql1 -Login domain\\user
Creates a new Windows Authentication backed login on sql1. The login will be part of the public server role.
RELATED LINKS
https://dbatools.io/New-DbaLogin