Tuesday, August 07, 2012

AD : Programmatically getting password policy

 

On Windows Server 2008, this doesn’t seem possible. There doesn’t appear to be an API that gives you all the details of the current user’s password policy.

Why does this matter?

Because when the user needs to pick a password and they get it wrong, the standard message is:

“The password you have chosen does not meet corporate policy. Please contact the help desk”.

The standard wrt. complexity is normally:

“The password contains characters from three of the following categories:

  • Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
  • Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Non-alphanumeric characters (special characters) (for example, !, $, #, %)
  • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.”

However, you can summarise the above and then get the pieces of the puzzle individually. To do this, you would have to get each attribute from AD.

Refer Windows Domain Password Policies

msDS-PasswordSettingsPrecedence
Establishes what takes precedence in situations where a user has membership in multiple groups with different password policies.

msDS-PasswordReversibleEncryptionEnabled
Toggles whether reversible encryption is enabled.

msDS-PasswordHistoryLength
Determines how many intervening passwords must be unique before one can be reused.

msDS-PasswordComplexityEnabled
Establishes the number and type of characters required in a password.

msDS-MinimumPasswordLength
Establishes the minimum length of a password.

msDS-MinimumPasswordAge
Determines how long a user must use a password before changing it.

msDS-MaximumPasswordAge
Determines how long a user can use a password before being required to change it.

msDS-LockoutThreshold
Determines how many failed password attempts will be allowed before locking out user account.

msDS-LockoutObservationWindow
Determines the time after which the bad password counter will be reset.

msDS-LockoutDuration
Determines how long the account will be locked out after too many failed password attempts.

So the message could be something like:

“Your password must be <msDS-MinimumPasswordLength> characters long, you cannot use one of your previous <msDS-PasswordHistoryLength> passwords and you will have to change it every <msDS-MaximumPasswordAge> days”.

Enjoy!

No comments: