Re: Programmatically change security settings. Is it possible?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 03/31/04 

Date: Wed, 31 Mar 2004 11:46:54 -0600

Hi,

Reading is one thing, writing is another. The policy settings apply to the
domain only, so there isn't much point altering these programmatically. They
cannot be set for individual users. I don't remember seeing code to modify
any Integer8 attributes. The relevant attributes are:

attribute syntax
--------- ------
midPwdAge Integer8
midPwdLength Integer
lockoutDuration Integer8
lockoutObservationWindow Integer8
lockoutThreshold Integer

The Integer8 attributes are 64-bit numbers. You must use the
IADsLargeInteger interface to deal with the 64-bit numbers. In VBScript, you
can read the values as follows:

Option Explicit
Dim objRootDSE, strDNSDomain, objDomain
Dim objMinPWAge, lngMinPWAge
Dim objDuration, lngDuration
Dim objLockoutWin, lngLockoutWin

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
Set objDomain = GetObject("LDAP://" & strDNSDomain)

Wscript.Echo "Domain policy values"

Set objMinPWAge = objDomain.minPwdAge
lngMinPWAge = Int8ToSec(objMinPWAge) / (24 * 60 * 60)
Wscript.Echo "Minimum password age in days: " & lngMinPWAge

Wscript.Echo "Minimum password length: " & objDomain.minPwdLength

Set objDuration = objDomain.lockoutDuration
lngDuration = Int8ToSec(objDuration) / (60)
Wscript.Echo "Lockout duration in minutes: " & lngDuration

Set objLockoutWin = objDomain.lockoutObservationWindow
lngLockoutWin = Int8ToSec(objLockoutWin) / (60)
Wscript.Echo "Lockout window in minutes: " & lngLockoutWin

Wscript.Echo "Lockout threshold: " & objDomain.lockoutThreshold

Function Int8ToSec(objInt8)
' Function to convert Integer8 attributes from
' 64-bit numbers to seconds.
  Dim lngHigh, lngLow
  lngHigh = objInt8.HighPart
' Account for error in IADsLargeInteger property methods.
  lngLow = objInt8.LowPart
  If lngLow < 0 Then
    lngHigh = lngHigh + 1
  End If
  Int8ToSec = -(lngHigh * (2^32) + lngLow) / (10000000)
End Function 

-- 
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"Derek Melber [MVP]" <derekm@braincore.net> wrote in message
news:%23VkCx$zFEHA.1156@TK2MSFTNGP12.phx.gbl...
> Andrey,
>
> Some of what you want are policy settings and other details are user
account
> related. For the policy info, just run "net accounts". For the user
account
> info, you can just create a simple VBS script to pluck out that info. For
> the syntax and details of the attributes, just search on the msdn web
site.
>
> -- 
> Derek Melber
> BrainCore.Net
> derekm@braincore.net
> "Andrey Zakharchuk" <coder@proza.lviv.ua> wrote in message
> news:%23QNVdzzFEHA.2768@tk2msftngp13.phx.gbl...
> > Hello, All.
> >
> > I need an ability to read/write a number of security settings: "Local
> > Security Policy" values like a "Password Policies" ("Minimum password
> > length", "Maximum password age"), "Account Lockout Policy" ("Account
> > lockout threshold", "Account lockout duration", "Reset account lockout
> > after") etc. I need to do this from, lets say, C#/Delphi/VB code. Colud
> > anyone give me a little sample or URL with explanation how to do that?
> >
> > I tried a lot of methods from LSA API to ADSI. LSA API seems to be not
> > very suitable for this task (at least I didn't found the way how to
> > access these values).
> >
> > ADSI seems to be better, but most of samples I saw are about domain/user
> > management. I guess security settings are present somewhere in the AD
> > but I don't know this path and structure of this values (classes,
> > attributes etc).
> >
> > Is there some other ways to except LSA API and ADSI?
> >
> > Thank you in advance.
> >
> > --
> > Best regards,
> > Andrey.
>
>

Relevant Pages

  • Re: Programmatically change security settings. Is it possible?
    ... Dim objRootDSE, strDNSDomain, objDomain ... ' Account for error in IADsLargeInteger property methods. ... Microsoft MVP Scripting and ADSI ... > Some of what you want are policy settings and other details are user ...
    (microsoft.public.win2000.group_policy)
  • Re: XP Repairing System.
    ... neglecting the fact that the 'so called' security features of the ... then run internet from non-admin account. ... policy settings not available for FAT32, ...
    (uk.comp.homebuilt)
  • Re: GPO still being applied to user
    ... two distinctions which you did not seem to notice based on ... You see the settings are impacting the account, ... between policy settings being effective vs being applied. ... on the domain group policy, didn't even realize it until I checked. ...
    (microsoft.public.windows.group_policy)
  • Cant find information using WMI adsi provider
    ... I'm writing a VBscript to get ADSI information on remote domain controllers. ... audit policy settings, password policy settings ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Group Policy permissions
    ... If you wish to have policy settings applied sensitive ... certain account or group of accounts (an for these it is ... Microsoft MVP (Windows, Security) ...
    (microsoft.public.windowsxp.security_admin)