Tuesday, August 07, 2012

AD : Programmatically getting password policy


On Windows Server 2008, this doesn’t seem possible. There doesn’t appear to be an API that gives you all the details of the current user’s password policy.

Why does this matter?

Because when the user needs to pick a password and they get it wrong, the standard message is:

“The password you have chosen does not meet corporate policy. Please contact the help desk”.

The standard wrt. complexity is normally:

“The password contains characters from three of the following categories:

  • Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Non-alphanumeric characters (special characters) (for example, !, $, #, %)
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.”

However, you can summarise the above and then get the pieces of the puzzle individually. To do this, you would have to get each attribute from AD.

Refer Windows Domain Password Policies

Establishes what takes precedence in situations where a user has membership in multiple groups with different password policies.

Toggles whether reversible encryption is enabled.

Determines how many intervening passwords must be unique before one can be reused.

Establishes the number and type of characters required in a password.

Establishes the minimum length of a password.

Determines how long a user must use a password before changing it.

Determines how long a user can use a password before being required to change it.

Determines how many failed password attempts will be allowed before locking out user account.

Determines the time after which the bad password counter will be reset.

Determines how long the account will be locked out after too many failed password attempts.

So the message could be something like:

“Your password must be <msDS-MinimumPasswordLength> characters long, you cannot use one of your previous <msDS-PasswordHistoryLength> passwords and you will have to change it every <msDS-MaximumPasswordAge> days”.


No comments: