Directory Programming .NET

I'm trying to notify my ADAM users when their password will expire. I have the following code which calculates when a password will expire based on the policy of the domain that the ADAM server is a part of. This works nicely.

Domain domain = Domain.GetCurrentDomain(); //this line will throw an exception when this is run on a machine that isn't on the domain.
DirectoryEntry root = domain.GetDirectoryEntry();

using (domain)
using (root)
{
//Get the maxPwdAge property from the Domain so we can check if our password is expired or not
string[] policyAttributes = new string[] { "maxPwdAge" };
DirectorySearcher ds = new DirectorySearcher(root, "(objectClass=domainDNS)", policyAttributes, SearchScope.Base);

SearchResult result = ds.FindOne();
long ticks = Math.Abs((long)result.Properties["maxPwdAge"][0]);

if (ticks > 0)
{
maxPwdAge = TimeSpan.FromTicks(ticks);
}

//Check if the user's password is expired
MembershipUser user = Membership.GetUser(username);
if (user != null && maxPwdAge != null)
{
TimeSpan expiresIn = (TimeSpan)(user.LastPasswordChangedDate + maxPwdAge - DateTime.Now);

return expiresIn;

}
return TimeSpan.Zero;

As I mentioned, this works well for a machine on the domain. However, my production server is not on a domain so ADAM uses the password policy of the local machine. How would I modify the above code to query the maxPwdAge of the local machine's password policy instead of the domain password policy (which will throw an exception when the machine isn't on a domain).

Thanks,

Trevor

The bad new here is that you are going to have a difficult time with this. As far as I know, the only way to get the local policy in effect from the local machine is to invoke the LsaPolicy APIs. This is much uglier than what you are doing (although possible via p/invoke I assume) and I don't have a sample.

The other bad thing is the your domain example will only work if GPO password policy has not been applied to the OU where the domain computer object is located (which is very common). If there is a password policy GPO, the expiration interval could be different. So, if you need a really general solution for calculating the expiration interval, it gets really complex.

ADAM really should have a calculated attribute to get the effective maxPwdAge (it must know this to do the calc so why can't it tell you this?) but it currently doesn't. This is one of my pet peeves with the product.

I believe (but am not positive) that if you call the LsaPolicy APIs to get the value, you'll get the effective interval from either local machine policy or from the domain. This might end up being the better way to go.

My overall recommendation is to avoid pwd expiration with ADAM users. It tends to produce a poor user experience and is hard to deal with (as you are seeing). However, if you have a customer who wants or needs this, it can be difficult to ignore.

Another way to do this is to integrate expiration at the application level and capture a password that is too old during the authentication event (where you have some UI already). It may be possible to have them change their password right there. You wouldn't use ADAM pwd expiration for this (you'd disable ADAM-enforced password expiration) but you could then have any policy and behavior you want. Just a thought.

Sorry for the gloomy response. :)

Thanks for the response Joe. Not the news I was hoping to hear :( I'll take a look at the LsaPolicy APIs and post back later with what I find out. As a short term solution I might just put the maxPwdAge value (since I know what is it) into my config file and read it from there.

Cheers,
Trevor

Wow, a few hours of looking at that crap sure gives you a headache... unmanaged code isn't really my cup to tea... I'm going with dropping a maxPwdAge variable in a config file and keeping it in sync with the Local Security Policy. Doing it properly is NOT worth the hassle for my project! If anyone actually needs to do this, check out this link:

http://www.pinvoke.net/default.aspx/advapi32.lsaopenpolicy

It's a good starting point.

Good Luck!
Trevor