ansaurus

Question

Reading Local Group Policy / Active Directory Settings

Answer 1

A:

You can use the Resultant Set of Policy (RSOP) tools. E.g. here's a VBScript (lifted from here) which will tell you what you need to know. It should be simple enough to translate this into C#.

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\rsop\computer")
Set colItems = objWMIService.ExecQuery _
    ("Select * from RSOP_SecuritySettingBoolean")
For Each objItem in colItems
    Wscript.Echo "Key Name: " & objItem.KeyName
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Setting: " & objItem.Setting
    Wscript.Echo
Next

serialhobbyist 2009-11-02 18:10:58

Answer 2

A:

There doesn't appear to be a documented API for this task, managed or otherwise.

Managed Attempt

I tried the managed route using the System.Management assembly:

        ConnectionOptions options = new ConnectionOptions();
        ManagementScope scope = new ManagementScope(@"\\.\root\RSOP\Computer", options);

        ManagementObjectSearcher searcher = new ManagementObjectSearcher(scope, new ObjectQuery("SELECT * FROM RSOP_SecuritySettingBoolean"));
        foreach(ManagementObject o in searcher.Get())
        {
            Console.WriteLine("Key Name: {0}", o["KeyName"]);
            Console.WriteLine("Precedence: {0}", o["Precedence"]);
            Console.WriteLine("Setting: {0}", o["Setting"]);
        }

This however will not return results. It doesn't appear to be a permission issue as providing a username/password pair to ConnectionOptions results in an exception telling you that you can not specify a username when connecting locally.

Unmanaged Attempt

I looked at NetUserModalsGet. While this will return some information on password settings:

typedef struct _USER_MODALS_INFO_0 {
  DWORD usrmod0_min_passwd_len;
  DWORD usrmod0_max_passwd_age;
  DWORD usrmod0_min_passwd_age;
  DWORD usrmod0_force_logoff;
  DWORD usrmod0_password_hist_len;
} USER_MODALS_INFO_0, *PUSER_MODALS_INFO_0, *LPUSER_MODALS_INFO_0;

..it will not let tell if the Password Complexity policy is enabled.

Tool Output Scraping 'Success'

So I resorted to parsing secedit.exe output.

    public static bool PasswordComplexityPolicy()
    {
        var tempFile = Path.GetTempFileName();

        Process p = new Process();
        p.StartInfo.FileName = Environment.ExpandEnvironmentVariables(@"%SystemRoot%\system32\secedit.exe");
        p.StartInfo.Arguments = String.Format(@"/export /cfg ""{0}"" /quiet", tempFile);
        p.StartInfo.CreateNoWindow = true;
        p.StartInfo.UseShellExecute = false;
        p.Start();
        p.WaitForExit();

        var file = IniFile.Load(tempFile);

        IniSection systemAccess = null;
        var passwordComplexityString = "";
        var passwordComplexity = 0;

        return file.Sections.TryGetValue("System Access", out systemAccess)
            && systemAccess.TryGetValue("PasswordComplexity", out passwordComplexityString)
            && Int32.TryParse(passwordComplexityString, out passwordComplexity)
            && passwordComplexity == 1;
    }

Full code here: http://gist.github.com/421802

Joseph Kingry 2010-06-02 01:45:37

Answer 3

A:

Hi Shinobi, I was looking to stop Windows 7 from automatically installing smart cards when they are inserted in the card reader and found that it can be done by disabling the smart card plug and play service. Related to this, I was trying to find if there is any way to read this setting option from the group policy of the system and came across your question, and this microsoft forum answer http://social.msdn.microsoft.com/Forums/en-US/csharpgeneral/thread/f3f5a61f-2ab9-459e-a1ee-c187465198e0

Hope this helps somebody who comes across this question in the future.

Peace!

CodeCanvas 2010-10-27 18:30:06

ansaurus

tags:

views:

answers:

Reading Local Group Policy / Active Directory Settings

Managed Attempt

Unmanaged Attempt

Tool Output Scraping 'Success'

related questions