RE: Get/set local security settings programmatically
- From: jetan@xxxxxxxxxxxxxxxxxxxx ("Jeffrey Tan[MSFT]")
- Date: Tue, 08 Apr 2008 09:58:55 GMT
Although this issue should be best resolved through Microsoft Advisory
Service, I did get some information for you(during discussing with several
security experts internally):
Some of these options are exposed via the NetAPI32 DLL - NetSetUserModals
does some of the password stuff you want. A bunch of the rest of it is set
via registry keys.
The Lsa* set of APIs do tell you some of the things you want to know about
a system, but I don't think they cover most of what's below.
Regarding your issue,
Account Policies--> Password Policy
1) Password must meet complexity requirements
2) Store password using reversible encryption for all
users in the domain
there are no native Win32 APIs for these two local security settings.
On Windows XP or above, there is a new WMI Group Policy interface, the
RSOP_SecuritySettingBoolean WMI class that represents the boolean security
setting for an account policy. Account policies include password policies
and account lockout policies.
The MSDN link
http://msdn2.microsoft.com/en-us/library/aa375062.aspx
documents this WMI Group Policy interface.
For the first two tasks, there is only WMI interface.
For "Security Options", the information is stored in various places such as
registry, SAM etc, depending on which component of Windows is exposing that
security option. We discussed similar customer's requirement with secedit
PG, there is no single API set. For some options, there may not be an API.
As Dave mentioned, it varies from OS to OS.
Regarding security options:-
a. "Accounts: Administrator account status"
b. "Accounts: Guest account status"
a) and b) can be set/modified using NetUserGetInfo at level 3 (usri3_flags)
c. "Accounts: Rename administrator account"
d. "Accounts: Rename guest account"
If administrator or guest account is renamed, one can find the information
as explained in the following knowledge base article
Q157234 - HOWTO: Deal with Localized and Renamed User and Group Names
http://support.microsoft.com/support/kb/articles/Q157/2/34.asp
The other Security Options are stored under registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg
Values as subkeys. The DisplayName registry value under each of the subkey
corresponds to what gpedit.msc displays in the UI.
The easiest way to work with many of these settings is via secedit.exe.
Hope it helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@xxxxxxxxxxxxxx
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- References:
- Prev by Date: RE: CryptAcquireContext fails with ERROR_FILE_NOT_FOUND
- Next by Date: win 2k service using protectdata (dpapi) with user store
- Previous by thread: RE: Get/set local security settings programmatically
- Next by thread: Re: Get/set local security settings programmatically
- Index(es):
Relevant Pages
|
|
