473,218 Members | 1,878 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,218 software developers and data experts.

Setting BadPasswordAttempts and MaxPasswordAge of a local user fromc#?


I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

I saw two properties in MSDN BadPasswordAttempts and MaxPasswordAge
but I can't seem to set them on the new user.

my code looks like this
DirectoryEntry newUser = null; ;
newUser = m_DomainMachine.Children.Add(Username, "user");
newUser.Invoke("SetPassword", new object[] { Pswd });
newUser.Properties["Description"].Value = Description;
newUser.Properties["FullName"].Value = Fullname;
newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;

I get an exception when I try and set those two properties that those
properties aren't in the property cache.

Is there a way to set properties like these on a new user or does this
have to do with the local policies

thanks
mike
Jun 19 '07 #1
8 4396

"Michael Howes" <mh****@xfortebio.comwrote in message
news:ej**************@TK2MSFTNGP04.phx.gbl...
>
I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.
These are normally only settable for EVERY user on the computer (or
every user on a domain.)
I saw two properties in MSDN BadPasswordAttempts and MaxPasswordAge but I
can't seem to set them on the new user.

my code looks like this
DirectoryEntry newUser = null; ;
newUser = m_DomainMachine.Children.Add(Username, "user");
newUser.Invoke("SetPassword", new object[] { Pswd });
newUser.Properties["Description"].Value = Description;
newUser.Properties["FullName"].Value = Fullname;
newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;

I get an exception when I try and set those two properties that those
properties aren't in the property cache.

Is there a way to set properties like these on a new user or does this
have to do with the local policies

thanks
mike

Jun 19 '07 #2
Also, I'm not sure if there is a straightforward way in .NET to change the
policy for the local machine. I think you need to do some p/invoke to the
LSA policy API stuff. However, given that you generally only do this once,
you likely wouldn't need to bother changing the policy.

What you can do is determine whether a user's password expires or not.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Herb Martin" <ne**@learnquick.comwrote in message
news:OZ**************@TK2MSFTNGP05.phx.gbl...
>
"Michael Howes" <mh****@xfortebio.comwrote in message
news:ej**************@TK2MSFTNGP04.phx.gbl...
>>
I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)
> I saw two properties in MSDN BadPasswordAttempts and MaxPasswordAge but
I can't seem to set them on the new user.

my code looks like this
DirectoryEntry newUser = null; ;
newUser = m_DomainMachine.Children.Add(Username, "user");
newUser.Invoke("SetPassword", new object[] { Pswd });
newUser.Properties["Description"].Value = Description;
newUser.Properties["FullName"].Value = Fullname;
newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;

I get an exception when I try and set those two properties that those
properties aren't in the property cache.

Is there a way to set properties like these on a new user or does this
have to do with the local policies

thanks
mike


Jun 19 '07 #3
> I have some code that manages local user logins.
> When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)
Ah, I see. thanks

I'm now having trouble adding users to a group.

why is all the documentation in MSDN wrong? That's really odd.

the code in MSDN says to do the following with the new user
DirectoryEntry admGroup = m_DomainMachine.Children.Find("Power Users",
"group");
admGroup.Properties["member"].Add(newUser.Path);
admGroup.CommitChanges();

member doesn't seem to be a property.

seems like at some point there was a major change in the .Net layer
over the old COM stuff and MSDN hasn't been updated. I'm using .Net 2 if
that helps.

Can I add to a group that is a DirectoryEntry object using
group.Children.Add?
thanks

oh and on a local machine, I'm looking in "Local Security
Settings\Local Policies\Security Options\ and see a long list of
security setting but don't see ones that relate to aging a password or
failed login attempts. Any pointers to where I found those.

and again, this is on a local machine, not a domain

thanks
mike

mike
Jun 19 '07 #4
You can't do it that way using the WinNT provider. "member" is an attribute
in AD, but a similar property does not exist in the "SAM" property set. The
only supported way to do this with a shipping .NET version is to Invoke the
"Add" method on IADsGroup. You might do:

entry.Invoke("Add", new object[] {"WinNT://machine/user"});
or something along those lines. You also need to use similar techniques to
remove or enumerate local machine group members.

In .NET 3.5, this stuff gets easier. There is a new namespace,
System.DirectoryServices.AccountManagement, that provides strongly typed
editable classes for manaing security principals (users, groups, etc.).
They use a provider model to support local machine, AD and ADAM users (plus
custom implementations). This will make this stuff much nicer, especially
for the local machine stuff where you can't just set the actual attributes
in the directory like you can with LDAP.

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael Howes" <mh****@xfortebio.comwrote in message
news:%2****************@TK2MSFTNGP04.phx.gbl...
>> I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)

Ah, I see. thanks

I'm now having trouble adding users to a group.

why is all the documentation in MSDN wrong? That's really odd.

the code in MSDN says to do the following with the new user
DirectoryEntry admGroup = m_DomainMachine.Children.Find("Power Users",
"group");
admGroup.Properties["member"].Add(newUser.Path);
admGroup.CommitChanges();

member doesn't seem to be a property.

seems like at some point there was a major change in the .Net layer over
the old COM stuff and MSDN hasn't been updated. I'm using .Net 2 if that
helps.

Can I add to a group that is a DirectoryEntry object using
group.Children.Add?
thanks

oh and on a local machine, I'm looking in "Local Security Settings\Local
Policies\Security Options\ and see a long list of security setting but
don't see ones that relate to aging a password or failed login attempts.
Any pointers to where I found those.

and again, this is on a local machine, not a domain

thanks
mike

mike

Jun 19 '07 #5
> I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)
>newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;
is this the same for pwdLastSet? In other words is there no way from
code to make it so the user has to change their password during their
next login?

thanks
mike
Jun 20 '07 #6
You can't do it that way using the WinNT provider. "member" is an attribute
in AD, but a similar property does not exist in the "SAM" property set. The
only supported way to do this with a shipping .NET version is to Invoke the
"Add" method on IADsGroup. You might do:

entry.Invoke("Add", new object[] {"WinNT://machine/user"});
or something along those lines. You also need to use similar techniques to
remove or enumerate local machine group members.
is there MSDN docs for the invoke-able methods for whatever COM object
I'm working with behind the .Net scenes?

thanks
Jun 20 '07 #7
You basically just need to read the entire ADSI SDK in addition to the .NET
DirectoryServices SDK to get the full list of stuff you can do.
Specifically, the ADSI interface documentation is helpful. The other issue
is knowing which ADSI interfaces can be invoked on any given DirectoryEntry,
but for the most part that will be either the IADs "core" interface, a few
of the other core interfaces and the permanent object interfaces like
IADsUser and IADsGroup.

If the reflection style of programming becomes too sucky to bear (it doesn't
scale well when you need to do more than a method or two), you can also
create an interop assembly for activeds.tlb and then just cast the
NativeObject property on DirectoryEntry to the .NET interop wrapper type for
ADSI COM class. Then it is all strongly typed.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael Howes" <mh****@xfortebio.comwrote in message
news:%2****************@TK2MSFTNGP06.phx.gbl...
>
>You can't do it that way using the WinNT provider. "member" is an
attribute in AD, but a similar property does not exist in the "SAM"
property set. The only supported way to do this with a shipping .NET
version is to Invoke the "Add" method on IADsGroup. You might do:

entry.Invoke("Add", new object[] {"WinNT://machine/user"});
or something along those lines. You also need to use similar techniques
to remove or enumerate local machine group members.

is there MSDN docs for the invoke-able methods for whatever COM object
I'm working with behind the .Net scenes?

thanks

Jun 20 '07 #8
You can't set pwdLastSet to 0 with WinNT like you can with LDAP/AD to force
pwd change at next logon. I'm pretty sure there is an IADsUser property
method that you can invoke that does this though. Check the ADSI SDK.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Michael Howes" <mh****@xfortebio.comwrote in message
news:ui**************@TK2MSFTNGP02.phx.gbl...
>
>> I have some code that manages local user logins.
When I create a new user I want to set the password to expire every x
days and the number of failed login attempts before the account is
disable/locked out. I can't seem to figure out how.

These are normally only settable for EVERY user on the computer (or
every user on a domain.)
>>newUser.Properties["BadPasswordAttempts"].Value = 3;
newUser.Properties["MaxPasswordAge"].Value = 90;

is this the same for pwdLastSet? In other words is there no way from code
to make it so the user has to change their password during their next
login?

thanks
mike

Jun 20 '07 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Johan Louwers | last post by:
I have a qustion. I have to set a JAVA_HOME variable on a Solaris9 system... what kind of a variable? A system-defined.../....a user defined.../.....???? and how do I set this so java can...
3
by: Jim | last post by:
I have a situation with a 6 server setup whereby merge agents will not run if other merge agents are alreay running. Basically we have a 5 laptop, one tower config with the tower being the...
6
by: John | last post by:
Hi We have an access app (front-end+backend) running on the company network. I am trying to setup replication for laptop users who go into field and need the data synched between their laptops...
0
by: Neo | last post by:
Hi Everyone I am trying to set and retrieve NTFS permssions for fileshares on remote machine using ActiveDs Interop. It works for domain groups and users but when try to retrieve permssions for...
1
by: phil campaigne | last post by:
On Mon, 1 Mar 2004, phil campaigne wrote: >> Nigel J. Andrews wrote: >> > > >>> >On Mon, 1 Mar 2004, Phil Campaigne wrote: >>> > >>> >
1
by: laredotornado | last post by:
Hi, I'm using PHP 4.4.4 on Apache 2 on Fedora Core 5. PHP was installed using Apache's apxs and the php library was installed to /usr/local/php. However, when I set my "error_reporting"...
8
by: Andrus | last post by:
..NET 2 Winforms application. How to create new setting and set it default value in userSettings section of app.config file or overwrite existing setting value ? I found code below in this list...
7
by: PetterL | last post by:
I have a setting called My.settings.firstrun set to True, set in the setting manager. When i read this in the first form form_Load in a IF sentence it always come out as false. I have tried to...
2
by: =?Utf-8?B?bXVyYWRqYW1lcw==?= | last post by:
I have a service running on my PC. I want to set the service's PriorityClass to BelowNormal. I use the following code: Process process = GetServiceProcess(); // How can I get the user's token...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.