Complex Passwords in Windows 2000

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I'm writing a script to audit/apply security settings on NT 4.0 and Windows 2000 servers. NT 4.0 is very straightforeward (registry settings, API calls) for everything, but Windows 2000 introduces the security database to store some security settings. I'm trying to limit the number of system calls I make to pull/set the information, and I want to cut out using secedit altogether.

My problem is this: Complex Passwords are set in the security database. 'Net Accounts' will not pull this information, and Win32::Lanman seems to be dry here as well (though for a while I though NetUserModalsGet had hope). In NT 4.0, password filtering is handled by a .dll in the registry, but not in 2000.

Anyone know of a OLE method of pulling information from the security database? I'm already OLE'ing for IIS information, so that's no biggie to tack on more. If no OLE, any progress elsewhere?

Right now, to get complex password settings, I do this:

$result = `secedit \/EXPORT \/DB C:\\Winnt\\Security\\Database\\secedi
+t.sdb \/CFG security.txt`;
open(SECURITY, "security.txt");
@lines = <SECURITY>;
foreach $line (@lines) {
if ($line =~ /PasswordComplexity = (\d+)/){
$passFilt = $1;
}
}
[download]

Confangled, and I'm going around my elbow to get to my nose, but it works. Any help???

Josh Pavel

Comment on Complex Passwords in Windows 2000 Download Code

Replies are listed 'Best First'.
Re: Complex Passwords in Windows 2000 by blm (Hermit) on Oct 01, 2002 at 16:11 UTC
Recently I found the RSOP_* (Resultant Set of Policies) set of functions and WMI Classes. It seems to be new with .NET server and Windows XP but the seem to run somewhat on Windows 2000. The information you want access to appears to be stored in the RSOP_SecuritySettingBoolean WMI/WBEM class. You can use perl to access WMI so there might be a way to do perl->Win32::OLE->WMI to access the information you require. I was trying to get some perl code to post but I haven't been able to. Let me know how it goes! --blm--	[reply]

Replies are listed 'Best First'.

Re: Complex Passwords in Windows 2000
by blm (Hermit) on Oct 01, 2002 at 16:11 UTC

Recently I found the RSOP_* (Resultant Set of Policies) set of functions and WMI Classes. It seems to be new with .NET server and Windows XP but the seem to run somewhat on Windows 2000. The information you want access to appears to be stored in the RSOP_SecuritySettingBoolean WMI/WBEM class. You can use perl to access WMI so there might be a way to do perl->Win32::OLE->WMI to access the information you require.

I was trying to get some perl code to post but I haven't been able to. Let me know how it goes!

[reply]