dbatoolsCompare-DbaAgReplicaLogin
View SourceSynopsis
Compares SQL Server logins across Availability Group replicas to identify configuration differences.
Description
Compares SQL Server logins across all replicas in an Availability Group to identify differences in login configurations. This helps ensure consistency across AG replicas and detect when logins have been created, modified, or removed on one replica but not others.
This is particularly useful for verifying that junior DBAs have applied security changes to all replicas or for troubleshooting access issues where login configurations have drifted between replicas.
By default, compares login names and their presence/absence. Use -IncludeModifiedDate to also compare modify_date timestamps from sys.server_principals to detect configuration drift.
Syntax
Compare-DbaAgReplicaLogin
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-AvailabilityGroup] <String[]>]
[-ExcludeSystemLogin]
[-IncludeModifiedDate]
[-EnableException]
[<CommonParameters>]
Examples
Example: 1
PS C:\> Compare-DbaAgReplicaLogin -SqlInstance sql2016 -AvailabilityGroup AG1
Compares all SQL Server logins across replicas in the AG1 Availability Group.
Example: 2
PS C:\> Compare-DbaAgReplicaLogin -SqlInstance sql2016 -AvailabilityGroup AG1 -ExcludeSystemLogin
Compares user-created SQL Server logins across replicas, excluding system logins.
Example: 3
PS C:\> Compare-DbaAgReplicaLogin -SqlInstance sql2016 -AvailabilityGroup AG1 -IncludeModifiedDate
Compares SQL Server logins including their modify_date property to detect configuration drift.
Example: 4
PS C:\> Get-DbaAvailabilityGroup -SqlInstance sql2016 | Compare-DbaAgReplicaLogin
Compares SQL Server logins for all Availability Groups on sql2016 via pipeline input.
Optional Parameters
-SqlInstance
The target SQL Server instance or instances. Can be any replica in the Availability Group.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
-SqlCredential
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-AvailabilityGroup
Specifies one or more Availability Group names to compare logins across their replicas.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
-ExcludeSystemLogin
Excludes built-in system logins from the comparison results.
Use this to focus on user-created logins and ignore built-in SQL Server logins.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
-IncludeModifiedDate
Includes modify_date comparison in addition to login name comparison.
Use this to detect when logins have been reconfigured on some replicas but not others.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
-EnableException
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.
| Property | Value |
|---|---|
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |