以编程方式读取本地密码策略

是否有Windows API函数,允许读取当前的密码策略是什么? 例如,最小长度,复杂度等

如果没有阅读,有没有一种方法来validation密码对策略编程?

Solutions Collecting From Web of "以编程方式读取本地密码策略"

请参阅安全性观察Windows域密码策略 。 您可以使用ADSI或其包装来打AD。 我找到了一个VBScript示例 。 你可以把它翻译成你想要的任何语言:

Sub ListPasswordPolicyInfo( strDomain ) Dim objComputer Set objComputer = GetObject("WinNT://" & strDomain ) WScript.Echo "MinPasswordAge: " & ((objComputer.MinPasswordAge) / 86400) WScript.Echo "MinPasswordLength: " & objComputer.MinPasswordLength WScript.Echo "PasswordHistoryLength: " & objComputer.PasswordHistoryLength WScript.Echo "AutoUnlockInterval: " & objComputer.AutoUnlockInterval WScript.Echo "LockOutObservationInterval: " & objComputer.LockOutObservationInterval End Sub Dim strDomain Do strDomain = inputbox( "Please enter a domainname", "Input" ) Loop until strDomain <> "" ListPasswordPolicyInfo( strDomain ) 

作为奖励,请检查LDAP管理员 。 这是一个开源的LDAP目录编辑器,你可以使用它来测试事物,也可以检查用Delphi编写的代码。

尤金的回答是有帮助的,但不是我所需要的。 密码复杂性过滤器实际上可以定制,什么是好的将是一种问Windows的方式,这个密码是否符合要求?

我花了一段时间才找到它,但函数是NetValidatePasswordPolicy 。 此功能的MSDN文档是可怕的; 请查看此MSDN博客条目 。

查询ActiveDirectory只适用于加入域的计算机; 并且用户有能力查询域控制器(这是可以被授予的东西)。

@ NicholasWilson的使用NetValidatePasswordPolicy的答案是很好的; 因为它可以为你做很多繁重的工作。 它甚至可以执行密码质量检查,您将不得不重新实施自己。 但是NetValidatePasswordPolicy在使用盐渍散列来存储密码(例如,BCrypt或Scrypt)时检查自定义密码历史记录时会失败。

但真正的问题是如何查询当前机器(即使是非域加入的机器)的密码策略。 您可以使用以下方式查询:

NetUserModalsGet

 struct USER_MODALS_INFO_0 { DWORD usrmod0_min_passwd_len; DWORD usrmod0_max_passwd_age; DWORD usrmod0_min_passwd_age DWORD usrmod0_force_logoff; DWORD usrmod0_password_hist_len; } PUSER_MODALS_INFO_0 = ^USER_MODALS_INFO_0; PUSER_MODALS_INFO_0 info0; NET_API_STATUS res = NetUserModalsGet(nil, 0, out info0); if (res <> NERR_Success) RaiseWin32Error(res); try //Specifies the minimum allowable password length. //Valid values for this element are zero through PWLEN. Log(info0.usrmod0_min_passwd_len); //Specifies, in seconds, the maximum allowable password age. //A value of TIMEQ_FOREVER indicates that the password never expires. //The minimum valid value for this element is ONE_DAY. //The value specified must be greater than or equal to the value for the usrmod0_min_passwd_age member. Log(info0.usrmod0_max_passwd_age); //Specifies the minimum number of seconds that can elapse between the time //a password changes and when it can be changed again. //A value of zero indicates that no delay is required between password updates. //The value specified must be less than or equal to the value for the usrmod0_max_passwd_age member. Log(info0.usrmod0_min_passwd_age); //Specifies, in seconds, the amount of time between the end of the valid // logon time and the time when the user is forced to log off the network. //A value of TIMEQ_FOREVER indicates that the user is never forced to log off. //A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires. Log(info0.usrmod0_force_logoff); //Specifies the length of password hi'+'story maintained. //A new password cannot match any of the previous usrmod0_password_hist_len passwords. //Valid values for this element are zero through DEF_MAX_PWHIST Log(info0.usrmod0_password_hist_len); finally NetApiBufferFree(info0); end;