Window has five group policy settings related to password security:
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
- Store passwords using reversible encryption
I know how to use NetUserModalsGet
to read most of these items. But it doesn't support checking if password complexity requirement is enabled:
- Enforce password history:
usrmod0_password_hist_len
- Maximum password age:
usrmod0_max_passwd_age
- Minimum password age:
usrmod0_min_passwd_age
- Minimum password length:
usrmod0_min_passwd_len
- Password must meet complexity requirements:
?
- Store passwords using reversible encryption:
I also know that WMI's RSOP ("Resultant set of policy") is unsuitable, as it only works on a domain. And i'm certainly not going to crawling through an undocumented binary blob (i.e. i want the supported way).
Note: I don't care about the "Store passwords using reversible encryption" group policy setting.
Bonus
You can also use the NetUserModalsGet
API to retrieve the Account Lockout Policy settings:
- Account lockout duration:
usrmod3_lockout_duration
- Account lockout threshold:
usrmod3_lockout_threshold
- Reset account lockout counter after:
usrmod3_lockout_observation_window
Thus rounding out all the password related group policy options; except for "must meet complexity requirements".
For completeness, assume a non-domain joined machine (i.e. no AD server to query, no RSOP to query, etc).
Best Answer
This is accessible using SAM (Security Account Manager) APIs.
This API (served by SAMLIB.DLL) is not directly documented (no header, no SDK), but the "protocol" to use it is documented here: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server), you "just" have to remove the
r
in describedSamrXXXX
methods.The ones in question here are SamQueryInformationDomain (and associated SamSetInformationDomain) which will get you a DOMAIN_PASSWORD_INFORMATION structure
The PasswordProperties member can contain
DOMAIN_PASSWORD_COMPLEX
flag:I've provided some C# samples to check this.
First one dumps the policy for all domains served by the current machine's SAM server:
Second one reads and updates the policy for the current machine's domain:
This is the
SamServer
utility: