Setting BadPasswordAttempts and MaxPasswordAge of a local user fromc#?

[Michael Howes]

I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

I saw two properties in MSDN BadPasswordAttempts and MaxPasswordAge
but I can't seem to set them on the new user.

my code looks like this
DirectoryEntry newUser = null; ;
newUser = m_DomainMachine.Children.Add(Username, "user");
newUser.Invoke("SetPassword", new object[] { Pswd });
newUser.Properties["Description"].Value = Description;
newUser.Properties["FullName"].Value = Fullname;


newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;

I get an exception when I try and set those two properties that those
properties aren't in the property cache.

Is there a way to set properties like these on a new user or does this
have to do with the local policies

thanks
mike

 

[Herb Martin]

I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)

I saw two properties in MSDN BadPasswordAttempts and MaxPasswordAge but I
can't seem to set them on the new user.

my code looks like this
DirectoryEntry newUser = null; ;
newUser = m_DomainMachine.Children.Add(Username, "user");
newUser.Invoke("SetPassword", new object[] { Pswd });
newUser.Properties["Description"].Value = Description;
newUser.Properties["FullName"].Value = Fullname;


newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;

I get an exception when I try and set those two properties that those
properties aren't in the property cache.

Is there a way to set properties like these on a new user or does this
have to do with the local policies

thanks
mike

 

[Joe Kaplan]

Also, I'm not sure if there is a straightforward way in .NET to change the
policy for the local machine. I think you need to do some p/invoke to the
LSA policy API stuff. However, given that you generally only do this once,
you likely wouldn't need to bother changing the policy.

What you can do is determine whether a user's password expires or not.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)

I saw two properties in MSDN BadPasswordAttempts and MaxPasswordAge but
I can't seem to set them on the new user.

my code looks like this
DirectoryEntry newUser = null; ;
newUser = m_DomainMachine.Children.Add(Username, "user");
newUser.Invoke("SetPassword", new object[] { Pswd });
newUser.Properties["Description"].Value = Description;
newUser.Properties["FullName"].Value = Fullname;


newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;

I get an exception when I try and set those two properties that those
properties aren't in the property cache.

Is there a way to set properties like these on a new user or does this
have to do with the local policies

thanks
mike

 

[Michael Howes]

I have some code that manages local user logins.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)

Ah, I see. thanks

I'm now having trouble adding users to a group.

why is all the documentation in MSDN wrong? That's really odd.

the code in MSDN says to do the following with the new user
DirectoryEntry admGroup = m_DomainMachine.Children.Find("Power Users",
"group");
admGroup.Properties["member"].Add(newUser.Path);
admGroup.CommitChanges();

member doesn't seem to be a property.

seems like at some point there was a major change in the .Net layer
over the old COM stuff and MSDN hasn't been updated. I'm using .Net 2 if
that helps.

Can I add to a group that is a DirectoryEntry object using
group.Children.Add?
thanks

oh and on a local machine, I'm looking in "Local Security
Settings\Local Policies\Security Options\ and see a long list of
security setting but don't see ones that relate to aging a password or
failed login attempts. Any pointers to where I found those.

and again, this is on a local machine, not a domain

thanks
mike

mike

 

[Joe Kaplan]

You can't do it that way using the WinNT provider. "member" is an attribute
in AD, but a similar property does not exist in the "SAM" property set. The
only supported way to do this with a shipping .NET version is to Invoke the
"Add" method on IADsGroup. You might do:

entry.Invoke("Add", new object[] {"WinNT://machine/user"});
or something along those lines. You also need to use similar techniques to
remove or enumerate local machine group members.

In .NET 3.5, this stuff gets easier. There is a new namespace,
System.DirectoryServices.AccountManagement, that provides strongly typed
editable classes for manaing security principals (users, groups, etc.).
They use a provider model to support local machine, AD and ADAM users (plus
custom implementations). This will make this stuff much nicer, especially
for the local machine stuff where you can't just set the actual attributes
in the directory like you can with LDAP.

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

These are normally only settable for EVERY user on the computer (or
every user on a domain.)

Ah, I see. thanks

I'm now having trouble adding users to a group.

why is all the documentation in MSDN wrong? That's really odd.

the code in MSDN says to do the following with the new user
DirectoryEntry admGroup = m_DomainMachine.Children.Find("Power Users",
"group");
admGroup.Properties["member"].Add(newUser.Path);
admGroup.CommitChanges();

member doesn't seem to be a property.

seems like at some point there was a major change in the .Net layer over
the old COM stuff and MSDN hasn't been updated. I'm using .Net 2 if that
helps.

Can I add to a group that is a DirectoryEntry object using
group.Children.Add?
thanks

oh and on a local machine, I'm looking in "Local Security Settings\Local
Policies\Security Options\ and see a long list of security setting but
don't see ones that relate to aging a password or failed login attempts.
Any pointers to where I found those.

and again, this is on a local machine, not a domain

thanks
mike

mike

 

[Michael Howes]

I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)

newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;

is this the same for pwdLastSet? In other words is there no way from
code to make it so the user has to change their password during their
next login?

thanks
mike

 

[Michael Howes]

You can't do it that way using the WinNT provider. "member" is an attribute
in AD, but a similar property does not exist in the "SAM" property set. The
only supported way to do this with a shipping .NET version is to Invoke the
"Add" method on IADsGroup. You might do:

entry.Invoke("Add", new object[] {"WinNT://machine/user"});
or something along those lines. You also need to use similar techniques to
remove or enumerate local machine group members.

is there MSDN docs for the invoke-able methods for whatever COM object
I'm working with behind the .Net scenes?

thanks

 

[Joe Kaplan]

You basically just need to read the entire ADSI SDK in addition to the .NET
DirectoryServices SDK to get the full list of stuff you can do.
Specifically, the ADSI interface documentation is helpful. The other issue
is knowing which ADSI interfaces can be invoked on any given DirectoryEntry,
but for the most part that will be either the IADs "core" interface, a few
of the other core interfaces and the permanent object interfaces like
IADsUser and IADsGroup.

If the reflection style of programming becomes too sucky to bear (it doesn't
scale well when you need to do more than a method or two), you can also
create an interop assembly for activeds.tlb and then just cast the
NativeObject property on DirectoryEntry to the .NET interop wrapper type for
ADSI COM class. Then it is all strongly typed.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

You can't do it that way using the WinNT provider. "member" is an
attribute in AD, but a similar property does not exist in the "SAM"
property set. The only supported way to do this with a shipping .NET
version is to Invoke the "Add" method on IADsGroup. You might do:

entry.Invoke("Add", new object[] {"WinNT://machine/user"});
or something along those lines. You also need to use similar techniques
to remove or enumerate local machine group members.

is there MSDN docs for the invoke-able methods for whatever COM object
I'm working with behind the .Net scenes?

thanks

 

[Joe Kaplan]

You can't set pwdLastSet to 0 with WinNT like you can with LDAP/AD to force
pwd change at next logon. I'm pretty sure there is an IADsUser property
method that you can invoke that does this though. Check the ADSI SDK.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)

newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;

is this the same for pwdLastSet? In other words is there no way from code
to make it so the user has to change their password during their next
login?

thanks
mike