密码策略 Windows API

Posted 2023-04-13

【中文标题】密码策略 Windows API

【英文标题】：Password Policy Windows API

【发布时间】：2012-11-14 09:39:28

【问题描述】：

是否有任何 API 可用于本地和/或全局密码策略（读/写策略设置）？

我发现有一个windows命令：

净帐户

它使用什么 API 来读取设置？是否可以在管理员权限下以编程方式更改设置？

【参考方案1】：

使用可以使用netapi32.lib中的NetUserModalsGet()函数。

查看https://msdn.microsoft.com/en-us/library/aa370656(VS.85).aspx的示例

NetUserModalsGet

struct USER_MODALS_INFO_0

    DWORD usrmod0_min_passwd_len;
    DWORD usrmod0_max_passwd_age;
    DWORD usrmod0_min_passwd_age
    DWORD usrmod0_force_logoff; 
    DWORD usrmod0_password_hist_len;

PUSER_MODALS_INFO_0 = ^USER_MODALS_INFO_0;    

PUSER_MODALS_INFO_0 info0;

NET_API_STATUS res = NetUserModalsGet(nil, 0,  out info0);

if (res <> NERR_Success)
   RaiseWin32Error(res);
try
   //Specifies the minimum allowable password length. 
   //Valid values for this element are zero through PWLEN.
   Log(info0.usrmod0_min_passwd_len);

   //Specifies, in seconds, the maximum allowable password age. 
   //A value of TIMEQ_FOREVER indicates that the password never expires. 
   //The minimum valid value for this element is ONE_DAY. 
   //The value specified must be greater than or equal to the value for the usrmod0_min_passwd_age member.
   Log(info0.usrmod0_max_passwd_age);

   //Specifies the minimum number of seconds that can elapse between the time
   //a password changes and when it can be changed again. 
   //A value of zero indicates that no delay is required between password updates. 
   //The value specified must be less than or equal to the value for the usrmod0_max_passwd_age member.
   Log(info0.usrmod0_min_passwd_age);

   //Specifies, in seconds, the amount of time between the end of the valid
   // logon time and the time when the user is forced to log off the network. 
   //A value of TIMEQ_FOREVER indicates that the user is never forced to log off. 
   //A value of zero indicates that the user will be forced to log off immediately when the valid logon time expires.
   Log(info0.usrmod0_force_logoff);

   //Specifies the length of password hi'+'story maintained. 
   //A new password cannot match any of the previous usrmod0_password_hist_len passwords. 
   //Valid values for this element are zero through DEF_MAX_PWHIST
   Log(info0.usrmod0_password_hist_len);
finally
   NetApiBufferFree(info0);
end;

【讨论】：

@IanBoyd 我们可以使用这个 NetUserModalsGet 来查询密码复杂度吗？

@user3664223 NetUserModals 无法检查密码复杂性。我所做的是使用NetValidatePasswordPolicy 使用NetValidatePasswordReset 语义。或者你可以阅读***.com/a/31748252/12597，有人说这是可能的；但我实际上并没有试图破译它。

【参考方案2】：

你应该看看：

Windows-OS-User-Management

Query-the-New-Windows-Audit-Policies-Programmatica

【讨论】：

第一篇文章与本地/全局密码策略无关。它设置用户标志。我正在寻找 API 至少为特定工作站设置本地密码策略。从第二篇文章中，我不明白应该使用什么 API 来更改 f.e.最小密码年龄或禁用密码复杂性。