1

Is there any API to work with Local and/or Global Password Policy (read/write policy settings)?

I found there is a windows command:

net accounts

What API does it use to read the settings? Is it possible to change the settings programmatically under admin permissions?

ohavryl
  • 397
  • 1
  • 5
  • 17

2 Answers2

3

Use can use the NetUserModalsGet() function in netapi32.lib.

See the example at https://msdn.microsoft.com/en-us/library/aa370656(VS.85).aspx

NetUserModalsGet

struct USER_MODALS_INFO_0
{
    DWORD usrmod0_min_passwd_len;
    DWORD usrmod0_max_passwd_age;
    DWORD usrmod0_min_passwd_age
    DWORD usrmod0_force_logoff; 
    DWORD usrmod0_password_hist_len;
}
PUSER_MODALS_INFO_0 = ^USER_MODALS_INFO_0;    

PUSER_MODALS_INFO_0 info0;

NET_API_STATUS res = NetUserModalsGet(nil, 0,  out info0);

if (res <> NERR_Success)
   RaiseWin32Error(res);
try
   //Specifies the minimum allowable password length. 
   //Valid values for this element are zero through PWLEN.
   Log(info0.usrmod0_min_passwd_len);

   //Specifies, in seconds, the maximum allowable password age. 
   //A value of TIMEQ_FOREVER indicates that the password never expires. 
   //The minimum valid value for this element is ONE_DAY. 
   //The value specified must be greater than or equal to the value for the usrmod0_min_passwd_age member.
   Log(info0.usrmod0_max_passwd_age);

   //Specifies the minimum number of seconds that can elapse between the time
   //a password changes and when it can be changed again. 
   //A value of zero indicates that no delay is required between password updates. 
   //The value specified must be less than or equal to the value for the usrmod0_max_passwd_age member.
   Log(info0.usrmod0_min_passwd_age);

   //Specifies, in seconds, the amount of time between the end of the valid
   // logon time and the time when the user is forced to log off the network. 
   //A value of TIMEQ_FOREVER indicates that the user is never forced to log off. 
   //A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires.
   Log(info0.usrmod0_force_logoff);

   //Specifies the length of password hi'+'story maintained. 
   //A new password cannot match any of the previous usrmod0_password_hist_len passwords. 
   //Valid values for this element are zero through DEF_MAX_PWHIST
   Log(info0.usrmod0_password_hist_len);
finally
   NetApiBufferFree(info0);
end;
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
James D. Brown
  • 41
  • 3
  • 1
    @IanBoyd Can we use this NetUserModalsGet to query Password Complexity? – user3664223 Feb 24 '22 at 10:09
  • @user3664223 NetUserModals doesn't have a way to check password complexity. What i did was use [**NetValidatePasswordPolicy**](https://learn.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netvalidatepasswordpolicy) using `NetValidatePasswordReset` semantics. Or you can read https://stackoverflow.com/a/31748252/12597 where someone says it is possible; but i didn't actually try to decipher it. – Ian Boyd Feb 24 '22 at 14:12
-1

You should have a look at:

Windows-OS-User-Management

Query-the-New-Windows-Audit-Policies-Programmatica

Peter
  • 27,590
  • 8
  • 64
  • 84
  • The first article is not related to Local/Global Password Policy. It sets user flags. I am looking for API to set at least Local Password Policy for a particular workstation. From the second article I do not understand what API I should use to change f.e. minimum password age or disable password complexity. – ohavryl Nov 14 '12 at 14:31