读取本地组策略/Active Directory 设置 [英] Reading Local Group Policy / Active Directory Settings

问题描述

我正在编写一个 C# 程序，它将根据 Windows 组策略设置密码必须满足复杂性要求"强制执行密码复杂性.具体来说，如果该策略在本地计算机(如果它不是域的一部分)或域安全策略(对于域成员)上设置为启用，那么我的软件需要强制执行复杂的密码以确保其自身的内部安全.

I'm writing a C# program that will enforce password complexity in accordance with the Windows Group Policy setting "Password must meet complexity requirements". Specifically, if that policy is set to Enabled either on the local machine (if it's not part of a domain) or by the Domain Security Policy (for domain members), then my software needs to enforce a complex password for its own internal security.

问题是我不知道如何读取 GPO 设置.Google 搜索表明我可以使用以下两个 API 之一读取 GPO 设置:.NET Framework 中的 System.DirectoryServices 库和 Windows Management Instrumentation (WMI)，但到目前为止我还没有取得任何成功.

The issue is that I can't figure out how to read that GPO setting. Google searches have indicated that I can read GPO settings with one of these two APIs: the System.DirectoryServices library in .NET Framework, and Windows Management Instrumentation (WMI), but I haven't had any success so far.

任何见解都会有所帮助.

Any insights would be helpful.

推荐答案

似乎没有针对此任务的文档化 API，无论是托管的还是其他的.

There doesn't appear to be a documented API for this task, managed or otherwise.

我使用 System.Management 尝试了托管路由组装:

I tried the managed route using the System.Management assembly:

        ConnectionOptions options = new ConnectionOptions();
        ManagementScope scope = new ManagementScope(@"\.
ootRSOPComputer", options);

        ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, new ObjectQuery("SELECT * FROM RSOP_SecuritySettingBoolean"));
        foreach(ManagementObject o in searcher.Get())
        {
            Console.WriteLine("Key Name: {0}", o["KeyName"]);
            Console.WriteLine("Precedence: {0}", o["Precedence"]);
            Console.WriteLine("Setting: {0}", o["Setting"]);
        }

然而这不会返回结果.这似乎不是权限问题，因为向 ConnectionOptions 提供用户名/密码对会导致异常，告诉您在本地连接时无法指定用户名.

This however will not return results. It doesn't appear to be a permission issue as providing a username/password pair to ConnectionOptions results in an exception telling you that you can not specify a username when connecting locally.

我查看了 NetUserModalsGet.虽然这将返回一些有关密码设置的信息:

I looked at NetUserModalsGet. While this will return some information on password settings:

typedef struct _USER_MODALS_INFO_0 {
  DWORD usrmod0_min_passwd_len;
  DWORD usrmod0_max_passwd_age;
  DWORD usrmod0_min_passwd_age;
  DWORD usrmod0_force_logoff;
  DWORD usrmod0_password_hist_len;
} USER_MODALS_INFO_0, *PUSER_MODALS_INFO_0, *LPUSER_MODALS_INFO_0;

..它不会判断 密码复杂性 策略已启用.

..it will not let tell if the Password Complexity policy is enabled.

所以我求助于解析 secedit.exe 输出.>

So I resorted to parsing secedit.exe output.

    public static bool PasswordComplexityPolicy()
    {
        var tempFile = Path.GetTempFileName();

        Process p = new Process();
        p.StartInfo.FileName = Environment.ExpandEnvironmentVariables(@"%SystemRoot%system32secedit.exe");
        p.StartInfo.Arguments = String.Format(@"/export /cfg ""{0}"" /quiet", tempFile);
        p.StartInfo.CreateNoWindow = true;
        p.StartInfo.UseShellExecute = false;
        p.Start();
        p.WaitForExit();

        var file = IniFile.Load(tempFile);

        IniSection systemAccess = null;
        var passwordComplexityString = "";
        var passwordComplexity = 0;

        return file.Sections.TryGetValue("System Access", out systemAccess)
            && systemAccess.TryGetValue("PasswordComplexity", out passwordComplexityString)
            && Int32.TryParse(passwordComplexityString, out passwordComplexity)
            && passwordComplexity == 1;
    }

完整代码在这里:http://gist.github.com/421802

这篇关于读取本地组策略/Active Directory 设置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！