Determine AD password policy programmatically

2019-01-24 17:55发布

问题:

I have been using the System.DirectoryService (ADSI) classes and methods to create and change users in an Active Directory.

Recently we added a feature to allow users to set their own password through the system. However, using the SetPassword method throws an exception when the password is not accepted by the Password Policy set.

userEntry.Invoke("SetPassword", new object[] {password});

My question is: How do I check to see if a password lives up to the password policy, before attempting to use the SetPassword-method?

I read in this post that you can get the Password Policy-settings from the root domain node, but where can I read more about what each attribute means? For instance, which characters are required to fullfill the "Complexity" policy?

Once I know this, I can implement my own password check-method, but as this is an error-prone approach, I would rather use a built-in check and give the user appropriate info on what is wrong with their password.

回答1:

I am working on a similar project at my work. We are rolling a forgot password application. I ended up just doing an Invoke("SetPassword", "[randomString]") and saved the random string for the Invoke("ChangePassword","[randomString]","[user supplied pw]"). The result of the ChangePassword was returned to the user.

SetPassword does not check for password complexity or history rules. It is the same as right clicking a user in AD and selecting "Reset Password." ChangePassword however, does check for password history requirements.



回答2:

The complexity policy is that it must contain three out of five of these types:

  • Upper case letters
  • Lower case letters
  • Digits
  • Non-alphanumeric characters: ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
  • Unicode characters that are alphabetics but not uppercase or lowercase.

It also can't be the sAMAccountName or displayName (or parts of). You can read about it here. The other password policy rules are in adjacent documents.

You could try setting it and catch exceptions but from memory I don't think it tells you what's wrong with the password, just that it doesn't meet the requirements.