Sync-DbaLoginSid - Add command to synchronize SQL login SIDs across instances

[potatoqualitee]

Not convinced by this, anyone else chime in.

Sync-DbaLoginSid - Synchronize SQL Login SIDs Across Instances

Problem Solved

Fixes a long-standing issue (#3679, opened 2018) where SQL Server environments have the same login with different SIDs across multiple servers. This creates ongoing operational pain:

• Database restores require running Repair-DbaDbOrphanUser every time
• Availability Group failovers break authentication if SIDs don't match
• Inherited environments riddled with mismatched SIDs (reported: "7 different SIDs across 19 servers")
• No proactive fix exists - only reactive band-aids

Why Existing Commands Don't Solve This

Copy-DbaLogin -Force was suggested in the original issue discussion, but it has critical limitations:

Feature	Copy-DbaLogin -Force	Sync-DbaLoginSid
Password	Copies from source ❌	Preserves destination ✅
Server Roles	Copies from source ❌	Preserves destination ✅
Database Permissions	Copies from source ❌	Not touched ✅
SID	Copies from source ✅	Copies from source ✅

The use case requires different passwords per environment (prod vs dev/test) while aligning SIDs to prevent orphaned users.

Implementation Details

Technical Approach

Since SQL Server provides no way to ALTER a login's SID (the Login.Sid SMO property is read-only after creation), the command:

1. Retrieves the password hash from the destination (to preserve existing password)
2. Captures all login properties and server role memberships from destination
3. Drops the login
4. Recreates it with the source SID but destination password hash
5. Restores all server roles and login properties (disabled state, default database, language, etc.)

This surgical approach changes only the SID while preserving everything else.

Key Features

• ✅ Preserves destination password - Different passwords per environment maintained
• ✅ Preserves server roles - Destination role memberships restored after recreation
• ✅ Preserves login properties - Default database, language, policy settings, disabled state
• ✅ Smart filtering - Automatically skips Windows logins (SIDs managed by AD)
• ✅ Already-matched detection - Skips logins with matching SIDs, returns status
• ✅ Pipeline support - Accepts Get-DbaLogin output
• ✅ High safety - ConfirmImpact = "High" with full WhatIf support

Real-World Use Cases

1. AG Preparation - Sync login SIDs across all replicas before configuring Availability Groups
2. Post-Migration Cleanup - Fix inherited environments with mismatched SIDs across 10+ servers
3. DR Readiness - Ensure DR servers have matching SIDs so failover is seamless
4. Environment Standardization - Align dev/test/prod login SIDs while keeping different passwords

Testing

Comprehensive test suite includes:

• Parameter validation tests
• Single login sync verification
• Multiple login sync verification
• Pipeline input support (single and multiple logins)
• Windows login filtering (automatically skipped)
• Already-matched SID detection
• Non-existent login handling
• SID verification after sync (ensures SIDs actually match)

Code Quality

• ✅ PowerShell v3 compatible (no ::new() syntax)
• ✅ Modern parameter syntax (no = $true attributes)
• ✅ Splats for all 3+ parameter calls (no backticks)
• ✅ Proper hashtable alignment per CLAUDE.md standards
• ✅ Registered in both dbatools.psd1 and dbatools.psm1

Closes

Closes #3679 (opened June 2018)