< Back
Reset-DbaAdmin
Post
NAME Reset-DbaAdmin
SYNOPSIS
This function allows administrators to regain access to SQL Servers in the event that passwords or access was lost.
Supports SQL Server 2005 and above. Windows administrator access is required.
SYNTAX
Reset-DbaAdmin [-SqlInstance] <DbaInstanceParameter> [[-SqlCredential] <Pscredential>] [[-Login] <String>]
[[-SecurePassword] <Securestring>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
DESCRIPTION
This function allows administrators to regain access to local or remote SQL Servers by either resetting the sa
password, adding the sysadmin role to existing login, or adding a new login (SQL or Windows) and granting it
sysadmin privileges.
This is accomplished by stopping the SQL services or SQL Clustered Resource Group, then restarting SQL via the
command-line using the /mReset-DbaAdmin parameter which starts the server in Single-User mode and only allows this
script to connect.
Once the service is restarted, the following tasks are performed:
- Login is added if it doesn't exist
- If login is a Windows User, an attempt is made to ensure it exists
- If login is a SQL Login, password policy will be set to OFF when creating the login, and SQL Server
authentication will be set to Mixed Mode.
- Login will be enabled and unlocked
- Login will be added to sysadmin role
If failures occur at any point, a best attempt is made to restart the SQL Server.
In order to make this script as portable as possible, System.Data.SqlClient and Get-WmiObject are used (as opposed
to requiring the Failover Cluster Admin tools or SMO).
If using this function against a remote SQL Server, ensure WinRM is configured and accessible. If this is not
possible, run the script locally.
Tested on Windows XP, 7, 8.1, Server 2012 and Windows Server Technical Preview 2.
Tested on SQL Server 2005 SP4 through 2016 CTP2.
PARAMETERS
-EnableException [<Switch>]
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables
advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own
try/catch.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Force [<Switch>]
If this switch is enabled, the Login(s) will be dropped and recreated on Destination. Logins that own Agent
jobs cannot be dropped at this time.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Login [<String>]
By default, the Login parameter is "sa" but any other SQL or Windows account can be specified. If a login does
not currently exist, it will be added.
When adding a Windows login to remote servers, ensure the SQL Server can add the login (ie, don't add
WORKSTATION\\Admin to remoteserver\\instance. Domain users and Groups are valid input.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SecurePassword [<Securestring>]
By default, if a SQL Login is detected, you will be prompted for a password. Use this to securely bypass the
prompt.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SqlCredential [<Pscredential>]
Instead of using Login and SecurePassword, you can just pass in a credential object.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SqlInstance [<DbaInstanceParameter>]
The target SQL Server instance or instances. SQL Server must be 2005 and above, and can be a clustered or
stand-alone instance.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Tags: WSMan
Author: Chrissy LeMaire (@cl), netnerds.net
Website: https://dbatools.io
Copyright: (c) 2018 by dbatools, licensed under MIT
License: MIT https://opensource.org/licenses/MIT
Requires: Admin access to server (not SQL Services),
Remoting must be enabled and accessible if $instance is not local
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Reset-DbaAdmin -SqlInstance sqlcluster -SqlCredential sqladmin
Prompts for password, then resets the "sqladmin" account password on sqlcluster.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Reset-DbaAdmin -SqlInstance sqlserver\\sqlexpress -Login ad\\administrator -Confirm:$false
Adds the domain account "ad\\administrator" as a sysadmin to the SQL instance.
If the account already exists, it will be added to the sysadmin role.
Does not prompt for a password since it is not a SQL login. Does not prompt for confirmation since -Confirm is set
to $false.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Reset-DbaAdmin -SqlInstance sqlserver\\sqlexpress -Login sqladmin -Force
Skips restart confirmation, prompts for password, then adds a SQL Login "sqladmin" with sysadmin privileges.
If the account already exists, it will be added to the sysadmin role and the password will be reset.
RELATED LINKS
https://dbatools.io/Reset-DbaAdmin
SYNOPSIS
This function allows administrators to regain access to SQL Servers in the event that passwords or access was lost.
Supports SQL Server 2005 and above. Windows administrator access is required.
SYNTAX
Reset-DbaAdmin [-SqlInstance] <DbaInstanceParameter> [[-SqlCredential] <Pscredential>] [[-Login] <String>]
[[-SecurePassword] <Securestring>] [-Force <Switch>] [-EnableException <Switch>] [<CommonParameters>]
DESCRIPTION
This function allows administrators to regain access to local or remote SQL Servers by either resetting the sa
password, adding the sysadmin role to existing login, or adding a new login (SQL or Windows) and granting it
sysadmin privileges.
This is accomplished by stopping the SQL services or SQL Clustered Resource Group, then restarting SQL via the
command-line using the /mReset-DbaAdmin parameter which starts the server in Single-User mode and only allows this
script to connect.
Once the service is restarted, the following tasks are performed:
- Login is added if it doesn't exist
- If login is a Windows User, an attempt is made to ensure it exists
- If login is a SQL Login, password policy will be set to OFF when creating the login, and SQL Server
authentication will be set to Mixed Mode.
- Login will be enabled and unlocked
- Login will be added to sysadmin role
If failures occur at any point, a best attempt is made to restart the SQL Server.
In order to make this script as portable as possible, System.Data.SqlClient and Get-WmiObject are used (as opposed
to requiring the Failover Cluster Admin tools or SMO).
If using this function against a remote SQL Server, ensure WinRM is configured and accessible. If this is not
possible, run the script locally.
Tested on Windows XP, 7, 8.1, Server 2012 and Windows Server Technical Preview 2.
Tested on SQL Server 2005 SP4 through 2016 CTP2.
PARAMETERS
-EnableException [<Switch>]
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables
advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own
try/catch.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Force [<Switch>]
If this switch is enabled, the Login(s) will be dropped and recreated on Destination. Logins that own Agent
jobs cannot be dropped at this time.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-Login [<String>]
By default, the Login parameter is "sa" but any other SQL or Windows account can be specified. If a login does
not currently exist, it will be added.
When adding a Windows login to remote servers, ensure the SQL Server can add the login (ie, don't add
WORKSTATION\\Admin to remoteserver\\instance. Domain users and Groups are valid input.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SecurePassword [<Securestring>]
By default, if a SQL Login is detected, you will be prompted for a password. Use this to securely bypass the
prompt.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SqlCredential [<Pscredential>]
Instead of using Login and SecurePassword, you can just pass in a credential object.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
-SqlInstance [<DbaInstanceParameter>]
The target SQL Server instance or instances. SQL Server must be 2005 and above, and can be a clustered or
stand-alone instance.
Required? false
Position? named
Default value
Accept pipeline input? False
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Tags: WSMan
Author: Chrissy LeMaire (@cl), netnerds.net
Website: https://dbatools.io
Copyright: (c) 2018 by dbatools, licensed under MIT
License: MIT https://opensource.org/licenses/MIT
Requires: Admin access to server (not SQL Services),
Remoting must be enabled and accessible if $instance is not local
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Reset-DbaAdmin -SqlInstance sqlcluster -SqlCredential sqladmin
Prompts for password, then resets the "sqladmin" account password on sqlcluster.
-------------------------- EXAMPLE 2 --------------------------
PS C:\\>Reset-DbaAdmin -SqlInstance sqlserver\\sqlexpress -Login ad\\administrator -Confirm:$false
Adds the domain account "ad\\administrator" as a sysadmin to the SQL instance.
If the account already exists, it will be added to the sysadmin role.
Does not prompt for a password since it is not a SQL login. Does not prompt for confirmation since -Confirm is set
to $false.
-------------------------- EXAMPLE 3 --------------------------
PS C:\\>Reset-DbaAdmin -SqlInstance sqlserver\\sqlexpress -Login sqladmin -Force
Skips restart confirmation, prompts for password, then adds a SQL Login "sqladmin" with sysadmin privileges.
If the account already exists, it will be added to the sysadmin role and the password will be reset.
RELATED LINKS
https://dbatools.io/Reset-DbaAdmin