I'm writing a C# program that will enforce password complexity in accordance with the Windows Group Policy setting "Password must meet complexity requirements". Specifically, if that policy is set to Enabled either on the local machine (if it's not part of a domain) or by the Domain Security Policy (for domain members), then my software needs to enforce a complex password for its own internal security.
The issue is that I can't figure out how to read that GPO setting. Google searches have indicated that I can read GPO settings with one of these two APIs: the System.DirectoryServices library in .NET Framework, and Windows Management Instrumentation (WMI), but I haven't had any success so far.
Any insights would be helpful.
There doesn't appear to be a documented API for this task, managed or otherwise.
Managed Attempt
I tried the managed route using the System.Management assembly:
This however will not return results. It doesn't appear to be a permission issue as providing a username/password pair to
ConnectionOptions
results in an exception telling you that you can not specify a username when connecting locally.Unmanaged Attempt
I looked at NetUserModalsGet. While this will return some information on password settings:
..it will not let tell if the Password Complexity policy is enabled.
Tool Output Scraping 'Success'
So I resorted to parsing secedit.exe output.
Full code here: http://gist.github.com/421802
You can use the Resultant Set of Policy (RSOP) tools. E.g. here's a VBScript (lifted from here) which will tell you what you need to know. It should be simple enough to translate this into C#.
I came across your this Microsoft forum answer http://social.msdn.microsoft.com/Forums/en-US/csharpgeneral/thread/f3f5a61f-2ab9-459e-a1ee-c187465198e0
Hope this helps somebody who comes across this question in the future.