[英]Reading the local password policy programmatically
是否有Windows API函數允許讀取當前密碼策略是什么? 例如,最小長度,復雜性等。
如果沒有閱讀,有沒有辦法以編程方式驗證策略的密碼?
請參閱安全性監視Windows域密碼策略 。 您可以使用ADSI或其包裝器來命中AD。 我找到了一個VBScript樣本 。 您可以將其翻譯成您想要的任何語言:
Sub ListPasswordPolicyInfo( strDomain )
Dim objComputer
Set objComputer = GetObject("WinNT://" & strDomain )
WScript.Echo "MinPasswordAge: " & ((objComputer.MinPasswordAge) / 86400)
WScript.Echo "MinPasswordLength: " & objComputer.MinPasswordLength
WScript.Echo "PasswordHistoryLength: " & objComputer.PasswordHistoryLength
WScript.Echo "AutoUnlockInterval: " & objComputer.AutoUnlockInterval
WScript.Echo "LockOutObservationInterval: " & objComputer.LockOutObservationInterval
End Sub
Dim strDomain
Do
strDomain = inputbox( "Please enter a domainname", "Input" )
Loop until strDomain <> ""
ListPasswordPolicyInfo( strDomain )
作為獎勵,請查看LDAP管理員 。 它是一個開源的LDAP目錄編輯器,您可以使用它來測試事物,也可以檢查用Delphi編寫的代碼。
Eugene的回答很有幫助,但並不完全符合我的要求。 密碼復雜性過濾器實際上可以自定義,什么是好的方式來問Windows,這個密碼是否符合要求?
我花了一段時間找到它,但功能是NetValidatePasswordPolicy
。 這個函數的MSDN文檔非常糟糕; 請查看此MSDN博客條目 。
查詢ActiveDirectory僅適用於加入域的計算機; 並且用戶有能力查詢域控制器(這是可以取消授權的)。
@ NicholasWilson使用NetValidatePasswordPolicy
的答案很好; 因為它可以為你做很多繁重的工作。 它甚至可以執行您必須自己重新實現的密碼質量檢查。 但是當使用salted哈希存儲密碼(例如BCrypt或Scrypt)時, NetValidatePasswordPolicy
會檢查您的自定義密碼歷史記錄失敗。
但真正的問題是如何查詢當前機器(甚至是非域加入機器)的密碼策略。 您可以使用以下方式查詢:
struct USER_MODALS_INFO_0
{
DWORD usrmod0_min_passwd_len;
DWORD usrmod0_max_passwd_age;
DWORD usrmod0_min_passwd_age
DWORD usrmod0_force_logoff;
DWORD usrmod0_password_hist_len;
}
PUSER_MODALS_INFO_0 = ^USER_MODALS_INFO_0;
PUSER_MODALS_INFO_0 info0;
NET_API_STATUS res = NetUserModalsGet(nil, 0, out info0);
if (res <> NERR_Success)
RaiseWin32Error(res);
try
//Specifies the minimum allowable password length.
//Valid values for this element are zero through PWLEN.
Log(info0.usrmod0_min_passwd_len);
//Specifies, in seconds, the maximum allowable password age.
//A value of TIMEQ_FOREVER indicates that the password never expires.
//The minimum valid value for this element is ONE_DAY.
//The value specified must be greater than or equal to the value for the usrmod0_min_passwd_age member.
Log(info0.usrmod0_max_passwd_age);
//Specifies the minimum number of seconds that can elapse between the time
//a password changes and when it can be changed again.
//A value of zero indicates that no delay is required between password updates.
//The value specified must be less than or equal to the value for the usrmod0_max_passwd_age member.
Log(info0.usrmod0_min_passwd_age);
//Specifies, in seconds, the amount of time between the end of the valid
// logon time and the time when the user is forced to log off the network.
//A value of TIMEQ_FOREVER indicates that the user is never forced to log off.
//A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires.
Log(info0.usrmod0_force_logoff);
//Specifies the length of password hi'+'story maintained.
//A new password cannot match any of the previous usrmod0_password_hist_len passwords.
//Valid values for this element are zero through DEF_MAX_PWHIST
Log(info0.usrmod0_password_hist_len);
finally
NetApiBufferFree(info0);
end;
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.