Disable password policy for partially-contained database

Question

I'm stuck in a situation where I need to create a new user for a partially-contained database (SQL Server 2016). The password is short, so I get an error:

Password validation failed. The password does not meet Windows policy requirements because it is too short.

When creating a login at the instance level, there is an option to untick 'Enforce password policy', 'Enforce password expiration', and 'User must change password at next login'. There is no such option when creating a user for a partially-contained DB.

Is there a way to get around this?

Answer 1

Since the Syntax section of the CREATE USER doc doesn't include the CHECK_POLICY option, I assume it's not a possibility for the CREATE USER command.

It seems the only way to achieve it is a workaround. You should create a normal SQL Server login with CHECK_POLICY = OFF and migrate it with sp_migrate_user_to_contained.

CREATE DATABASE Test;
GO

EXECUTE sp_configure 'contained database authentication', 1;
RECONFIGURE;
GO

ALTER DATABASE Test
SET RESTRICTED_USER
WITH ROLLBACK IMMEDIATE;
GO

ALTER DATABASE Test
SET containment=partial;
GO

ALTER DATABASE Test
SET MULTI_USER;
GO

USE Test;  
GO 

CREATE LOGIN userWeakPWD  
WITH PASSWORD='pwd', CHECK_POLICY = OFF;
GO

CREATE USER userWeakPWD
FOR LOGIN userWeakPWD;
GO

EXEC sp_migrate_user_to_contained 
    @username = N'userWeakPWD',
    @rename = N'keep_name',
    @disablelogin = N'disable_login';
GO

I couldn't find any doc from Microsoft stating the existing restriction for creating a new contained user with CHECK_POLICY = OFF, but I had no lucky finding one explaining officially how to achieve it too.

---

Source: CHECK_POLICY = OFF Contained CREATE USER Statement (Credits to Shulei Chen)