The “lock” option to sp_locklogin, when used with a value for “number of inactive days,” locks inactive accounts that have not authenticated within that period. The following example locks all login accounts that have not authenticated within the past 60 days:
sp_locklogin 'all', 'lock', NULL, 60
The privileged role sso_role is required to lock logins.
This command has no effect if the sp_passwordpolicy option “enable last login updates” is set to “0”.
The value for “number of inactive days” can be 1 to 32767 days.
The new syslogins columns lockdate, locksuid and lockreason are updated at time of locking/unlocking a login.
An administrator with sso_role can lock login accounts that have been inactive for a given number of days using the following sp_locklogin command:
sp_locklogin 'all', 'lock', [@except], 'number of inactive days'
See Chapter 10, “Supported Security Features” for more information about sp_locklogin.
