Managing Windows NT Domain Properties

Previous page
Table of content
Next page
   
Managing Windows NT Domain Properties

After the user has chosen the domain to be managed, you can manipulate the default account policy settings for the domain. The properties found in the IADsDomain interface directly correlate to those found in the Account Policy dialog box in User Manager for Domains. The Account Policy dialog box is shown in Figure 3.1.

Figure 3.1. Account Policy dialog box in User Manager for Domains.

graphics/03fig01.gif

Binding Domains Using Visual Basic

Before you can manipulate the properties of the domain, you must first bind to the domain container object. Use the following Visual Basic code to bind the domain prior to manipulating any of the account policy properties for the domain: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://DomainName, domain")

If you plan to set or query the values for multiple properties in a single domain, you need to bind the domain only once within the lifetime of the function.

Note

The binding operation can be costly in terms of application performance, so use bindings judiciously to maximize overall application responsiveness. Binding performance is substantially increased by specifying the class name with the object, as follows : GetObject ("WinNt://DomainName, domain") .


If the code will set the values of multiple properties, you need to call the SetInfo method only once during the lifetime of the code segment. Again, following this course of action will yield better application performance due to decreased network traffic because the write operation performed on the namespace is executed only once.

If you must touch several domains in the same script, use the SetInfo method to write the information to the SAM before beginning the binding operation on the new domain. This action will ensure that the proper data was written to the domain before beginning to repopulate the property cache with information derived from the new domain.

By binding and writing to the directory only once per managed domain, you will achieve optimal application performance.

Security Considerations

An account with administrative privileges in the bound domain is required to query or set all properties used for account policy manipulation. A run-time automation error (usually -2147023570/8007052e) will be returned if the user account does not have sufficient privileges when attempting to query or set these properties.


Querying and Setting a New Value for AutoUnlockInterval

The AutoUnlockInterval property of the IADsDomain interface allows you to set the amount of time to wait before automatically resetting the account lockout status flag on a locked-out user account. In User Manager's Account Policy dialog box, this interface programmatically manipulates the Lockout Duration parameter.

Querying AutoUnlockInterval Using Visual Basic

By dimensioning a long datatype variable, you can use the following Visual Basic code to find the number of seconds a user will be required to wait before an account lockout condition is reset automatically: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://" & DomainName) Dim RetVal as Long RetVal = Domain.AutoUnlockInterval Debug.Print RetVal
Setting a New Value for AutoUnlockInterval Using Visual Basic

If you wish to change the amount of time a user must wait before the user account is automatically unlocked, assign the AutoUnlockInterval property a new value (in seconds) and use the SetInfo method to write the changes back to the namespace: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://" & DomainName) Dim NewValue as Integer NewValue = 7200 Domain.AutoUnlockInterval = NewValue Domain.SetInfo

By setting the AutoUnlockInterval property to 7,200 and returning to User Manager for Domains, the new value for Lockout Duration is now 120 minutes. Although the Account Policy dialog box shows the value in minutes, the IADsDomain AutoUnlockInterval property expects the value assigned to this property to be entered in seconds.

Tip

To set the lockout duration to Forever (Until Admin Unlocks), set the value of the AutoUnlockInterval property to -1 in your code .


Querying and Setting a New Value for LockoutObservationInterval

The LockoutObservationInterval property determines the amount of time the domain controller will keep count of bad login attempts for the domain before resetting a user's BadLoginCount value back to 0. This value directly correlates to the Reset Count After n Minutes setting in the Account Policy dialog box.

Querying LockoutObservationInterval Using Visual Basic

Like the AutoUnlockInterval property, the LockoutObservationInterval is stored in seconds. To ensure that you do not overflow the integer datatype, you should always store this value using a long datatype.

Consider the following Visual Basic code to query the time window during which Windows NT will increment the BadLoginCount counter: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://" & DomainName) Dim RetVal as Long RetVal = Domain.LockOutObservationInterval Debug.Print RetVal
Setting a New Value for LockoutObservationInterval Using Visual Basic

If you want to change the amount of time Windows NT monitors bad login attempts in the domain, you can set a new value for the LockoutObservationInterval property using the following Visual Basic code: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim NewValue as Long NewValue = 1800 Domain.LockoutObservationInterval = NewValue Domain.SetInfo

Tip

By setting this value to 1800, the domain controller will reset its count of bad login attempts for all user accounts after 30 minutes has elapsed .


Querying and Setting a New Value for MaxBadPasswordsAllowed

Coupled with the LockoutObservationInterval property, the MaxBadPasswordsAllowed value establishes the number of bad password attempts allowed before locking out the account. This value correlates to the Lockout After n Bad Logon Attempts setting in the Account Policy dialog box.

Querying MaxBadPasswordsAllowed Using Visual Basic

Using the following Visual Basic code, a value between 0 and 999 will be returned, representing the number of logons a user can attempt before the account is locked out: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim RetVal as Integer RetVal = Domain.MaxBadPasswordsAllowed Debug.Print RetVal
Setting a New Value for MaxBadPasswordsAllowed Using Visual Basic

To set a new value for the number of bad logon attempts for a given domain, simply assign a new integer value to the MaxBadPasswordsAllowed property. This assignment can be performed directly ( Domain.MaxBadPasswordsAllowed = 4) or indirectly by assigning a variable to the property.

Use the following Visual Basic code to set a new value for the number of bad logon attempts for a given domain: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim NewValue as Integer NewValue = 5 Domain.MaxBadPasswordsAllowed = NewValue Domain.SetInfo

Querying and Setting a New Value for MaxPasswordAge

To prevent risks associated with users retaining passwords indefinitely, most enterprises enforce a password expiration policy for the domain. You can programmatically manipulate the Maximum Password Age setting found in the User Manager for the Domains Account Policy dialog box using the MaxPasswordAge property of the IADsDomain interface.

Querying MaxPasswordAge Using Visual Basic

Consider the following Visual Basic code to find how many days a user can retain a password before it expires : 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim RetVal as Long RetVal = Domain.MaxPasswordAge RetVal = RetVal / 86400 Debug.Print RetVal

Note

Despite the fact that User Manager for Domains uses days as the unit of measure for this property, the MaxPasswordAge property is set using the number of seconds until the password expires.

To quickly convert the number of days to seconds, simply multiply the number of days until password expiration by 86,400 and use the resulting number to set the property value. Conversely, to convert the queried value for MaxPasswordAge back into the number of days, simply divide the result by 86,400.

If you wish to allow all users to retain passwords for an infinite amount of time, set the MaxPasswordAge property to -1 .


Setting a New Value for MaxPasswordAge Using Visual Basic

If you want passwords to expire at a regular interval for users in the domain, you can assign a value to the MaxPasswordAge property of the IADsDomain interface using the following Visual Basic code: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim NewValue as Long NewValue = 2592000 Domain.MaxPasswordAge = NewValue Domain.SetInfo

Querying and Setting a New Value for MinPasswordAge

Just as you can force a user to change his or her password at specified intervals, you can also force retention of a chosen password for a specific duration. If your enterprise forces password uniqueness, you should also take advantage of the Windows NT Minimum Password Age setting. This property prevents users from overriding the password history setting by forcing the user to retain a password for a specified amount of time.

Querying MinPasswordAge Using Visual Basic

Use the following Visual Basic code to find the minimum amount of time a user must wait before a new password can be chosen: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim RetVal as Long RetVal = Domain.MinPasswordAge RetVal = RetVal / 86400 Debug.Print RetVal
Setting a New Value for MinPasswordAge Using Visual Basic

Use the following Visual Basic code to force users to wait a specified amount of time before changing their account password: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim NewValue as Long NewValue = 0 Domain.MinPasswordAge = NewValue Domain.SetInfo

Tip

Once again, the MinPasswordAge property is stored using seconds as the unit of measure. To allow users to change passwords immediately, set this value to 0 .


Querying and Setting a New Value for MinPasswordLength

Using the MinPasswordLength property of the IADsDomain interface, you can manipulate the Minimum Password Length field found in the Account Policy dialog box in User Manager for Domains. This setting forces all domain users to use passwords greater than or equal to the length specified by this setting.

Most enterprises force users to use at least six characters for all passwords in order to increase the time required for brute-force password- cracking utilities to obtain a user's password. Although there are many other factors contributing to the ease with which such tools can determine a password, extending the length of all user account passwords is a good first step to prevent compromise of a domain user account.

Tip

Ideally, the best protection against brute-force hash comparison utilities is to encrypt the SAM using the SYSKEY utility, to physically secure any emergency repair disks created with the -S parameter, and to limit physical access to all domain controllers .


Querying MinPasswordLength Using Visual Basic

To find the number of characters required for passwords used on all domain user accounts, use the following Visual Basic code: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim RetVal as Long RetVal = Domain.MinPasswordLength Debug.Print RetVal
Setting a New Value for MinPasswordLength Using Visual Basic

By assigning a value to the MinPasswordLength property of the IADsDomain interface, you can establish the minimum number of characters required for all domain passwords. This setting does not force current users that do not comply with the value of this property to change their passwords, but simply enforces all new password changes to use at least the number of characters specified by the MinPasswordLength property.

Use the following Visual Basic code to set a new value for MinPasswordLength : 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim NewValue as Long NewValue = 7 Domain.MinPasswordLength = NewValue Domain.SetInfo

Tip

If you wish to allow blank passwords to be used in the domain, set the value of MinPasswordLength to “1 .


Querying and Setting a New Value for PasswordHistoryLength

PasswordHistoryLength sets the number of passwords Windows NT will store for each user in the domain. This security feature prevents users from using the same password for each password change performed. Programmatically manipulating this value will cause changes to be seen immediately in the Password Uniqueness data field in User Manager's Account Policy dialog box.

Querying PasswordHistoryLength Using Visual Basic

To find out how many user passwords will be " remembered " by Windows NT, use the following Visual Basic code: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim RetVal as Long RetVal = Domain.PasswordHistoryLength Debug.Print RetVal
Setting a New Value for PasswordHistoryLength Using Visual Basic

If you wish to force users to use unique passwords for each password change performed, use the following Visual Basic code to set a new value to the IADsDomain PasswordHistoryLength property: 

 Dim Domain as IADsDomain Dim DomainName as String DomainName = "  Domain_Name_To_Manage  " Set Domain = GetObject("WinNT://"&DomainName) Dim NewValue as Long NewValue = 3 Domain.PasswordHistoryLength = NewValue Domain.SetInfo

When performing a password change request, Windows NT will check to make sure the new password you are requesting does not equal the value of any of the last passwords used, up to the value of PasswordHistoryLength .

Tip

To disable password history, set the PasswordHistoryLength property to “1 .


   
Top

Previous page
Table of content
Next page
Windows NT. 2000 ADSI Scripting for System Administration
Windows NT/2000 ADSI Scripting for System Administration
ISBN: 1578702194
EAN: 2147483647
Year: 2000
Pages: 194
Authors: Thomas Eck
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
The CISSP and CAP Prep Guide: Platinum Edition
Documenting Software Architectures: Views and Beyond
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy