dsccommunity · johlju · Feb 19, 2026 · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026
@@ -20,6 +20,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - SqlScript
   - Added integration test configuration that creates script files and executes
     the resource in a single configuration using `DependsOn`.
+- SqlLogin
+  - Added parameter `Sid` to allow setting the sid of the new login. ([issue #1470](https://github.com/dsccommunity/SqlServerDsc/issues/1470))
 
 ## [17.5.1] - 2026-02-05
 

@@ -72,6 +72,7 @@ function Get-TargetResource
         Disabled        = $login.IsDisabled
         DefaultDatabase = $login.DefaultDatabase
         Language        = $login.Language
+        Sid             = $login.Sid
     }
 
     if ($login.LoginType -eq 'SqlLogin')
@@ -124,6 +125,9 @@ function Get-TargetResource
 
     .PARAMETER Language
         Specifies the default language for the login.
+
+    .PARAMETER Sid
+        Specifies the security identifier (SID) for the login. Only applies to SQL Logins. The value should be a hexadecimal string (e.g. '0x1234...').
 #>
 function Set-TargetResource
 {
@@ -187,7 +191,12 @@ function Set-TargetResource
 
         [Parameter()]
         [System.String]
-        $Language
+        $Language,
+
+        [Parameter()]
+        [ValidatePattern('^0x([0-9A-Fa-f]{2})+$')]
+        [System.String]
+        $Sid
     )
 
     $serverObject = Connect-SQL -ServerName $ServerName -InstanceName $InstanceName -ErrorAction 'Stop'
@@ -272,7 +281,8 @@ function Set-TargetResource
                 }
 
                 if ( ( $PSBoundParameters.ContainsKey('DefaultDatabase') -and ($login.DefaultDatabase -ne $DefaultDatabase) ) -or
-                     ( $PSBoundParameters.ContainsKey('Language') -and $login.Language -ne $Language ) )
+                     ( $PSBoundParameters.ContainsKey('Language') -and ($login.Language -ne $Language) )
+                   )
                 {
                     if ( $PSBoundParameters.ContainsKey('DefaultDatabase') )
                     {
@@ -336,6 +346,11 @@ function Set-TargetResource
                             $LoginCreateOptions = [Microsoft.SqlServer.Management.Smo.LoginCreateOptions]::None
                         }
 
+                        if ( $PSBoundParameters.ContainsKey('Sid') )
+                        {
+                            $login.Sid = ([byte[]] -split ( $Sid -replace '^0x', '' -replace '..', '0x$& '))
+                        }
+
                         New-SQLServerLogin -Login $login -LoginCreateOptions $LoginCreateOptions -SecureString $LoginCredential.Password -ErrorAction 'Stop'
                     }
 
@@ -356,7 +371,8 @@ function Set-TargetResource
                 }
 
                 if ( ( $PSBoundParameters.ContainsKey('DefaultDatabase') -and ($login.DefaultDatabase -ne $DefaultDatabase) ) -or
-                     ( $PSBoundParameters.ContainsKey('Language') -and $login.Language -ne $Language ) )
+                     ( $PSBoundParameters.ContainsKey('Language') -and ($login.Language -ne $Language) )
+                   )
                 {
                     # Set the default database if specified
                     if ( $PSBoundParameters.ContainsKey('DefaultDatabase') )
@@ -428,6 +444,11 @@ function Set-TargetResource
 
     .PARAMETER Language
         Specifies the default language for the login.
+
+    .PARAMETER Sid
+        Specifies the security identifier (SID) for the login. Only applies to SQL Logins. The value should be a hexadecimal string (e.g. '0x1234...').
+
+        Not currently used in Test-TargetResource to enforce Sid.
 #>
 function Test-TargetResource
 {
@@ -491,7 +512,12 @@ function Test-TargetResource
 
         [Parameter()]
         [System.String]
-        $Language
+        $Language,
+
+        [Parameter()]
+        [ValidatePattern('^0x([0-9A-Fa-f]{2})+$')]
+        [System.String]
+        $Sid
     )
 
     Write-Verbose -Message (

@@ -15,4 +15,5 @@ class DSC_SqlLogin : OMI_BaseResource
     [Write, Description("Specifies if the login is disabled. Default value is `$false`.")] Boolean Disabled;
     [Write, Description("Specifies the default database name.")] String DefaultDatabase;
     [Write, Description("Specifies the default language.")] String Language;
+    [Write, Description("Specifies the security identifier (SID) for the login. Only applies to _SQL Logins_. The value should be a hexadecimal string (e.g. `'0x1234...'`).")] String Sid;
 };
@@ -0,0 +1,53 @@
+<#
+    .DESCRIPTION
+        This example shows how to ensure that the SQL logins 'SqlLogin' and
+        'SqlLogin2' exist, where 'SqlLogin2' is created with an explicit SID.
+#>
+
+Configuration Example
+{
+    param
+    (
+        [Parameter(Mandatory = $true)]
+        [System.Management.Automation.PSCredential]
+        $SqlAdministratorCredential,
+
+        [Parameter(Mandatory = $true)]
+        [System.Management.Automation.PSCredential]
+        $LoginCredential
+    )
+
+    Import-DscResource -ModuleName 'SqlServerDsc'
+
+    node localhost
+    {
+        SqlLogin 'Add_SqlLogin'
+        {
+            Ensure                         = 'Present'
+            Name                           = 'SqlLogin'
+            LoginType                      = 'SqlLogin'
+            ServerName                     = 'TestServer.company.local'
+            InstanceName                   = 'DSC'
+            LoginCredential                = $LoginCredential
+            LoginMustChangePassword        = $false
+            LoginPasswordExpirationEnabled = $true
+            LoginPasswordPolicyEnforced    = $true
+            PsDscRunAsCredential           = $SqlAdministratorCredential
+        }
+
+        SqlLogin 'Add_SqlLogin_Set_Login_Sid'
+        {
+            Ensure                         = 'Present'
+            Name                           = 'SqlLogin2'
+            LoginType                      = 'SqlLogin'
+            ServerName                     = 'TestServer.company.local'
+            InstanceName                   = 'DSC'
+            LoginCredential                = $LoginCredential
+            LoginMustChangePassword        = $false
+            LoginPasswordExpirationEnabled = $true
+            LoginPasswordPolicyEnforced    = $true
+            PsDscRunAsCredential           = $SqlAdministratorCredential
+            Sid                            = '0x5283175DBF354E508FB7582940E87500'
+        }
+    }
+}
@@ -1,7 +1,8 @@
 <#
     .DESCRIPTION
         This example shows how to ensure that the Windows user 'CONTOSO\WindowsUser',
-        Windows group 'CONTOSO\WindowsGroup', and the SQL Login 'SqlLogin' exists.
+        'CONTOSO\WindowsUser2', 'CONTOSO\WindowsUser3',
+        and Windows group 'CONTOSO\WindowsGroup' exists.
 #>
 
 Configuration Example
@@ -10,11 +11,7 @@ Configuration Example
     (
         [Parameter(Mandatory = $true)]
         [System.Management.Automation.PSCredential]
-        $SqlAdministratorCredential,
-
-        [Parameter(Mandatory = $true)]
-        [System.Management.Automation.PSCredential]
-        $LoginCredential
+        $SqlAdministratorCredential
     )
 
     Import-DscResource -ModuleName 'SqlServerDsc'
@@ -62,19 +59,5 @@ Configuration Example
             InstanceName         = 'DSC'
             PsDscRunAsCredential = $SqlAdministratorCredential
         }
-
-        SqlLogin 'Add_SqlLogin'
-        {
-            Ensure                         = 'Present'
-            Name                           = 'SqlLogin'
-            LoginType                      = 'SqlLogin'
-            ServerName                     = 'TestServer.company.local'
-            InstanceName                   = 'DSC'
-            LoginCredential                = $LoginCredential
-            LoginMustChangePassword        = $false
-            LoginPasswordExpirationEnabled = $true
-            LoginPasswordPolicyEnforced    = $true
-            PsDscRunAsCredential           = $SqlAdministratorCredential
-        }
     }
 }