Programmatically change security settings. Is it possible?

[Andrey Zakharchuk]

Hello, All.

I need an ability to read/write a number of security settings: "Local
Security Policy" values like a "Password Policies" ("Minimum password
length", "Maximum password age"), "Account Lockout Policy" ("Account
lockout threshold", "Account lockout duration", "Reset account lockout
after") etc. I need to do this from, lets say, C#/Delphi/VB code. Colud
anyone give me a little sample or URL with explanation how to do that?

I tried a lot of methods from LSA API to ADSI. LSA API seems to be not
very suitable for this task (at least I didn't found the way how to
access these values).

ADSI seems to be better, but most of samples I saw are about domain/user
management. I guess security settings are present somewhere in the AD
but I don't know this path and structure of this values (classes,
attributes etc).

Is there some other ways to except LSA API and ADSI?

Thank you in advance.

 

[Derek Melber [MVP]]

Andrey,

Some of what you want are policy settings and other details are user account
related. For the policy info, just run "net accounts". For the user account
info, you can just create a simple VBS script to pluck out that info. For
the syntax and details of the attributes, just search on the msdn web site.

 

[Richard Mueller [MVP]]

Hi,

Reading is one thing, writing is another. The policy settings apply to the
domain only, so there isn't much point altering these programmatically. They
cannot be set for individual users. I don't remember seeing code to modify
any Integer8 attributes. The relevant attributes are:

attribute syntax
--------- ------
midPwdAge Integer8
midPwdLength Integer
lockoutDuration Integer8
lockoutObservationWindow Integer8
lockoutThreshold Integer

The Integer8 attributes are 64-bit numbers. You must use the
IADsLargeInteger interface to deal with the 64-bit numbers. In VBScript, you
can read the values as follows:

Option Explicit
Dim objRootDSE, strDNSDomain, objDomain
Dim objMinPWAge, lngMinPWAge
Dim objDuration, lngDuration
Dim objLockoutWin, lngLockoutWin

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNSDomain)

Wscript.Echo "Domain policy values"

Set objMinPWAge = objDomain.minPwdAge
lngMinPWAge = Int8ToSec(objMinPWAge) / (24 * 60 * 60)
Wscript.Echo "Minimum password age in days: " & lngMinPWAge

Wscript.Echo "Minimum password length: " & objDomain.minPwdLength

Set objDuration = objDomain.lockoutDuration
lngDuration = Int8ToSec(objDuration) / (60)
Wscript.Echo "Lockout duration in minutes: " & lngDuration

Set objLockoutWin = objDomain.lockoutObservationWindow
lngLockoutWin = Int8ToSec(objLockoutWin) / (60)
Wscript.Echo "Lockout window in minutes: " & lngLockoutWin

Wscript.Echo "Lockout threshold: " & objDomain.lockoutThreshold

Function Int8ToSec(objInt8)
' Function to convert Integer8 attributes from
' 64-bit numbers to seconds.
Dim lngHigh, lngLow
lngHigh = objInt8.HighPart
' Account for error in IADsLargeInteger property methods.
lngLow = objInt8.LowPart
If lngLow < 0 Then
lngHigh = lngHigh + 1
End If
Int8ToSec = -(lngHigh * (2^32) + lngLow) / (10000000)
End Function

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

Andrey,

Some of what you want are policy settings and other details are user account
related. For the policy info, just run "net accounts". For the user account
info, you can just create a simple VBS script to pluck out that info. For
the syntax and details of the attributes, just search on the msdn web site.

 

[Roger Abell]

Good post Richard, and interesting hoops to handle integer8 in VB.

I believe the OP was asking for a way to set policy values rather
than the current effective values.

To my knowledge there is no public documented interface for
programmatically adjusting settings in policy objects.
If one changes the effective value but that value is being managed
by policy then one's changes will be ephemeral

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Hi,

Reading is one thing, writing is another. The policy settings apply to the
domain only, so there isn't much point altering these programmatically. They
cannot be set for individual users. I don't remember seeing code to modify
any Integer8 attributes. The relevant attributes are:

attribute syntax
--------- ------
midPwdAge Integer8
midPwdLength Integer
lockoutDuration Integer8
lockoutObservationWindow Integer8
lockoutThreshold Integer

The Integer8 attributes are 64-bit numbers. You must use the
IADsLargeInteger interface to deal with the 64-bit numbers. In VBScript, you
can read the values as follows:

Option Explicit
Dim objRootDSE, strDNSDomain, objDomain
Dim objMinPWAge, lngMinPWAge
Dim objDuration, lngDuration
Dim objLockoutWin, lngLockoutWin

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNSDomain)

Wscript.Echo "Domain policy values"

Set objMinPWAge = objDomain.minPwdAge
lngMinPWAge = Int8ToSec(objMinPWAge) / (24 * 60 * 60)
Wscript.Echo "Minimum password age in days: " & lngMinPWAge

Wscript.Echo "Minimum password length: " & objDomain.minPwdLength

Set objDuration = objDomain.lockoutDuration
lngDuration = Int8ToSec(objDuration) / (60)
Wscript.Echo "Lockout duration in minutes: " & lngDuration

Set objLockoutWin = objDomain.lockoutObservationWindow
lngLockoutWin = Int8ToSec(objLockoutWin) / (60)
Wscript.Echo "Lockout window in minutes: " & lngLockoutWin

Wscript.Echo "Lockout threshold: " & objDomain.lockoutThreshold

Function Int8ToSec(objInt8)
' Function to convert Integer8 attributes from
' 64-bit numbers to seconds.
Dim lngHigh, lngLow
lngHigh = objInt8.HighPart
' Account for error in IADsLargeInteger property methods.
lngLow = objInt8.LowPart
If lngLow < 0 Then
lngHigh = lngHigh + 1
End If
Int8ToSec = -(lngHigh * (2^32) + lngLow) / (10000000)
End Function

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net