当前位置: 文江博客话题详情

读取本地组策略/Active Directory 设置

发布于 2024-08-06 02:47:49 字数 329 浏览 2 评论 0原文

我正在编写一个 C# 程序,它将根据 Windows 组策略设置“密码必须满足复杂性要求”强制执行密码复杂性。具体来说,如果该策略在本地计算机上(如果它不是域的一部分)或通过域安全策略(对于域成员)设置为启用,则我的软件需要强制执行复杂的密码以确保其自身的内部安全。

问题是我不知道如何读取该 GPO 设置。 Google 搜索表明我可以使用这两个 API 之一读取 GPO 设置:.NET Framework 中的 System.DirectoryServices 库和 Windows Management Instrumentation (WMI),但到目前为止我还没有取得任何成功。

任何见解都会有帮助。

原文

I'm writing a C# program that will enforce password complexity in accordance with the Windows Group Policy setting "Password must meet complexity requirements". Specifically, if that policy is set to Enabled either on the local machine (if it's not part of a domain) or by the Domain Security Policy (for domain members), then my software needs to enforce a complex password for its own internal security.

The issue is that I can't figure out how to read that GPO setting. Google searches have indicated that I can read GPO settings with one of these two APIs: the System.DirectoryServices library in .NET Framework, and Windows Management Instrumentation (WMI), but I haven't had any success so far.

Any insights would be helpful.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

清眉祭 2024-08-13 02:47:49

似乎没有针对此任务的记录 API,无论是托管还是其他方式。

托管尝试

我使用 System.Management 程序集尝试了托管路由:

        ConnectionOptions options = new ConnectionOptions();
        ManagementScope scope = new ManagementScope(@"\\.\root\RSOP\Computer", options);

        ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, new ObjectQuery("SELECT * FROM RSOP_SecuritySettingBoolean"));
        foreach(ManagementObject o in searcher.Get())
        {
            Console.WriteLine("Key Name: {0}", o["KeyName"]);
            Console.WriteLine("Precedence: {0}", o["Precedence"]);
            Console.WriteLine("Setting: {0}", o["Setting"]);
        }

但这不会返回结果。这似乎不是权限问题,因为向 ConnectionOptions 提供用户名/密码对会导致异常,告诉您在本地连接时无法指定用户名。

非托管尝试

我查看了 NetUserModalsGet。虽然这将返回有关密码设置的一些信息:

typedef struct _USER_MODALS_INFO_0 {
  DWORD usrmod0_min_passwd_len;
  DWORD usrmod0_max_passwd_age;
  DWORD usrmod0_min_passwd_age;
  DWORD usrmod0_force_logoff;
  DWORD usrmod0_password_hist_len;
} USER_MODALS_INFO_0, *PUSER_MODALS_INFO_0, *LPUSER_MODALS_INFO_0;

..它不会告诉 密码复杂性策略已启用。

工具输出抓取“成功”

所以我求助于解析 secedit.exe 输出。

    public static bool PasswordComplexityPolicy()
    {
        var tempFile = Path.GetTempFileName();

        Process p = new Process();
        p.StartInfo.FileName = Environment.ExpandEnvironmentVariables(@"%SystemRoot%\system32\secedit.exe");
        p.StartInfo.Arguments = String.Format(@"/export /cfg ""{0}"" /quiet", tempFile);
        p.StartInfo.CreateNoWindow = true;
        p.StartInfo.UseShellExecute = false;
        p.Start();
        p.WaitForExit();

        var file = IniFile.Load(tempFile);

        IniSection systemAccess = null;
        var passwordComplexityString = "";
        var passwordComplexity = 0;

        return file.Sections.TryGetValue("System Access", out systemAccess)
            && systemAccess.TryGetValue("PasswordComplexity", out passwordComplexityString)
            && Int32.TryParse(passwordComplexityString, out passwordComplexity)
            && passwordComplexity == 1;
    }

完整代码在这里:http://gist.github.com/421802

There doesn't appear to be a documented API for this task, managed or otherwise.

Managed Attempt

I tried the managed route using the System.Management assembly:

        ConnectionOptions options = new ConnectionOptions();
        ManagementScope scope = new ManagementScope(@"\\.\root\RSOP\Computer", options);

        ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, new ObjectQuery("SELECT * FROM RSOP_SecuritySettingBoolean"));
        foreach(ManagementObject o in searcher.Get())
        {
            Console.WriteLine("Key Name: {0}", o["KeyName"]);
            Console.WriteLine("Precedence: {0}", o["Precedence"]);
            Console.WriteLine("Setting: {0}", o["Setting"]);
        }

This however will not return results. It doesn't appear to be a permission issue as providing a username/password pair to ConnectionOptions results in an exception telling you that you can not specify a username when connecting locally.

Unmanaged Attempt

I looked at NetUserModalsGet. While this will return some information on password settings:

typedef struct _USER_MODALS_INFO_0 {
  DWORD usrmod0_min_passwd_len;
  DWORD usrmod0_max_passwd_age;
  DWORD usrmod0_min_passwd_age;
  DWORD usrmod0_force_logoff;
  DWORD usrmod0_password_hist_len;
} USER_MODALS_INFO_0, *PUSER_MODALS_INFO_0, *LPUSER_MODALS_INFO_0;

..it will not let tell if the Password Complexity policy is enabled.

Tool Output Scraping 'Success'

So I resorted to parsing secedit.exe output.

    public static bool PasswordComplexityPolicy()
    {
        var tempFile = Path.GetTempFileName();

        Process p = new Process();
        p.StartInfo.FileName = Environment.ExpandEnvironmentVariables(@"%SystemRoot%\system32\secedit.exe");
        p.StartInfo.Arguments = String.Format(@"/export /cfg ""{0}"" /quiet", tempFile);
        p.StartInfo.CreateNoWindow = true;
        p.StartInfo.UseShellExecute = false;
        p.Start();
        p.WaitForExit();

        var file = IniFile.Load(tempFile);

        IniSection systemAccess = null;
        var passwordComplexityString = "";
        var passwordComplexity = 0;

        return file.Sections.TryGetValue("System Access", out systemAccess)
            && systemAccess.TryGetValue("PasswordComplexity", out passwordComplexityString)
            && Int32.TryParse(passwordComplexityString, out passwordComplexity)
            && passwordComplexity == 1;
    }

Full code here: http://gist.github.com/421802

回复 原文
梦归所梦 2024-08-13 02:47:49

您可以使用策略结果集 (RSOP) 工具。例如,这里有一个 VBScript(取自此处),它会告诉您你需要知道什么。将其翻译成 C# 应该很简单。

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\rsop\computer")
Set colItems = objWMIService.ExecQuery _
    ("Select * from RSOP_SecuritySettingBoolean")
For Each objItem in colItems
    Wscript.Echo "Key Name: " & objItem.KeyName
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Setting: " & objItem.Setting
    Wscript.Echo
Next

You can use the Resultant Set of Policy (RSOP) tools. E.g. here's a VBScript (lifted from here) which will tell you what you need to know. It should be simple enough to translate this into C#.

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\rsop\computer")
Set colItems = objWMIService.ExecQuery _
    ("Select * from RSOP_SecuritySettingBoolean")
For Each objItem in colItems
    Wscript.Echo "Key Name: " & objItem.KeyName
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Setting: " & objItem.Setting
    Wscript.Echo
Next
回复 原文
无戏配角 2024-08-13 02:47:49

我遇到了您的这个 Microsoft 论坛答案 http://social.msdn.microsoft.com/Forums/en-US/csharpgeneral/thread/f3f5a61f-2ab9-459e-a1ee-c187465198e0

希望这对将来遇到这个问题的人有所帮助。

I came across your this Microsoft forum answer http://social.msdn.microsoft.com/Forums/en-US/csharpgeneral/thread/f3f5a61f-2ab9-459e-a1ee-c187465198e0

Hope this helps somebody who comes across this question in the future.

回复 原文
~没有更多了~

关于作者

影子的影子

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

1CH1MKgiKxn9p

文章 0 评论 0

ゞ记忆︶ㄣ

文章 0 评论 0

JackDx

文章 0 评论 0

信远

文章 0 评论 0

yaoduoduo1995

文章 0 评论 0

霞映澄塘

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文