User unable to change their own password in SQL Server using OLD_PASSWORD option

I am currently using SQL Server 2019 Developer edition and facing an issue with changing passwords. I have a login that holds the CONTROL SERVER permission but has been denied ALTER ANY LOGIN permission.

When the user attempts to change their own password using the following command:

use master
alter login USERNAME WITH PASSWORD = 'newpassword789' OLD_PASSWORD = 'oldpassword123'

An error occurs:

Cannot alter the login ‘USERNAME’, because it does not exist or you do not have permission.

Interestingly, when I remove the denial on ALTER ANY LOGIN, the password change goes smoothly. Yet, I want to maintain the denial for security reasons.

According to Microsoft’s documentation, it seems that having the ALTER ANY LOGIN permission should not be necessary when changing one’s own password with the OLD_PASSWORD clause.

What might be causing this permission error?

that’s weird behavior! have you checked if there’s a specific permission like alter on the login that might work around this? also, does this happen with all logins or just certain ones? sounds like microsoft’s docs might be wrong here…

This issue stems from SQL Server’s permission hierarchy. When the ALTER ANY LOGIN permission is explicitly denied, it prevents even self-service password changes with the OLD_PASSWORD clause, as denies take precedence. To address this while maintaining security, consider creating a custom database role that grants only the necessary permissions for password modifications. Alternatively, utilize SQL Server’s password policy features or develop a stored procedure with EXECUTE AS, allowing users to change their passwords under controlled circumstances. This way, you can uphold security without lifting the denial.