Programmatically reading of Password Policy info

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Assuming that I need to know programmatically (VS C#) an User's, or Domain's, Password Policy parameters:
1) MinPasswordLength
2) PasswordHistoryLength
3) PasswordAttribute - COMPLEX
so far I’ve found a way to get the parameters 1) and 2), but not 3).
Here and there, though, parameter 3) is mentioned as a legitimate element of the Active Directory schema, but I haven’t found a way to actually read it. Reason may be that, as stated on the document “Provider Support of ADSI Interfacesâ€, section “Provider Support for IADsDomainâ€, this property PasswordAttributes is declared not supported neither by the provider LDAP nor WinNT. And I do not know if there is some other way (C#-compatible) to get this information.
Any comments/help/support on the subject is welcome. Yours,
Pietro Moras
 
Pietro,

You might want to ask at the following yahoo group, they answered all my AD
questions...

http://groups.yahoo.com/group/ADSIANDDirectoryServices/

Ollie

Studio P.M. said:
Assuming that I need to know programmatically (VS C#) an User's, or
Click to expand...
Domain's, Password Policy parameters:
1) MinPasswordLength
2) PasswordHistoryLength
3) PasswordAttribute - COMPLEX
so far I've found a way to get the parameters 1) and 2), but not 3).
Here and there, though, parameter 3) is mentioned as a legitimate element
Click to expand...
of the Active Directory schema, but I haven't found a way to actually read
it. Reason may be that, as stated on the document "Provider Support of ADSI
Interfaces", section "Provider Support for IADsDomain", this property
PasswordAttributes is declared not supported neither by the provider LDAP
nor WinNT. And I do not know if there is some other way (C#-compatible) to
get this information.
 
3. You can read the pwd properties by binding to the root of the domain tree
and retrieve the pwdProperties.
pwdProperties is an int, the LSB is used for DOMAIN_PASSWORD_COMPLEX

// check the platform SDK doc's for other bitflags
const int DOMAIN_PASSWORD_COMPLEX = 0x000001;

using (DirectoryEntry domain = new
DirectoryEntry("LDAP://Domain/DC=....,DC=.....,DC=....",
"domain\\account", "pwd"))
{
int pwdProps = (int)domain.Properties["pwdProperties"].Value;
Console.WriteLine(pwdProps);
}
}

Willy.
 
Pietro,

Q1. Well, the pwdProperties is only exposed by the LDAP provider (on W2K and
higher domains)
Furthermore, I strongly suggest you to use LDAP in a W2K/W2K3 AD domain
environment and use the WinNT provider ONLY to access NT4 domains and
memberserver/workstation.

Q2. //Domain is a placeholder, it can contain the IP address of the domain
controller, the DNS name of the DC or the Windows DOMAIN name .
- domain\account and pwd denotes the binding user's credentials (domain user
id and password), note that these are the credentials used to access the AD
service objects.

- dc=.., dc=..., specifies the distinguished name of the domain to bind to.
Ex. dc=microsoft, dc=com.

The distinguished name of the domain can be obtained by reading the
defaultNamingContext like this:

using(DirectoryEntry domain = new
DirectoryEntry("LDAP://RootDSE","domain\\administrator", "mySecret",
AuthenticationTypes.ServerBind ))
{
string dn = (string)domain.Properties["defaultNamingContext"].Value;
Console.WriteLine(dn);
}
Here we are binding against the users default domain (login domain).
Another possibility is to specify the domain name or DC name, that way you
can bind against any domain as long as the binding user has the necessary
access privileges.

Q3. When using C# and the framework classes to access the AD, your best bet
are the MSDN doc's, unfortunately, you have to switch back and fort between
the System.DirectoryServices FCL doc's and the platform sdk docs
(http://msdn.microsoft.com/library/en-us/dsportal/dsportal/directory_services_portal.asp?).
The reason for this is, that System.DirectoryServices is simply wrapping the
ADSI client COM services interfaces, and most of the properties are
described in the ADSI doc's and not in the FCL doc's.

Willy.

Studio P.M. said:
Dear Mr. Denoyette,
In this way, beyond the "pwdProperties", I could equally get
"minPwdLength" and "pwdHistoryLength" too. Very acccurate, very complete,
and very kind of you.

And stimulating too. Indeed I can't refrain from asking these further
questions.

Q1) You chose the "LDAP://" provider, and not, say, the "WinNT://". Why?

Q2) I'm not familiar with LDAP, hence I must ask you to be more detailed
about all these arguments:
//Domain/ is it a keyword, or a placeholder for a real domain name?
DC=...,DC=... what is it for?
domain\\account same question: is it a keyword, or...
pwd same question

Q3) Where can I find such elusive information as that one you gave me? I
mean: is there a reference source, or book, that I could consult when you
are non here round to grant your support?

All the best, and thanks again. Yours,
Pietro Moras
- - - - -=- - - - -=- - - - -=- - - - -=- - - - -=- - - - -=

Willy Denoyette said:
3. You can read the pwd properties by binding to the root of the domain
tree
and retrieve the pwdProperties.
pwdProperties is an int, the LSB is used for DOMAIN_PASSWORD_COMPLEX

// check the platform SDK doc's for other bitflags
const int DOMAIN_PASSWORD_COMPLEX = 0x000001;

using (DirectoryEntry domain = new
DirectoryEntry("LDAP://Domain/DC=....,DC=.....,DC=....",
"domain\\account", "pwd"))
{
int pwdProps = (int)domain.Properties["pwdProperties"].Value;
Console.WriteLine(pwdProps);
}
}

Willy.
Click to expand...
Click to expand...
 
Willy,
The first impulse is of gratitude for the quality and kindness of this discussion.

The second is of perplexity and uneasiness. Indeed as matter of fact, in this case too, I realised that in lack of an organic, comprehensive and updated documentation of reference, the success of a project may depend on the casual contribution of a collaborative colleague. Ok: I owe you a favor.

And you can count one more friend.
Thanks again.
See you.
Pietro Moras
 
Back
Top