Determine AD password policy programmatically

Question

I have been using the System.DirectoryService (ADSI) classes and methods to create and change users in an Active Directory.

Recently we added a feature

Answer 1

I am working on a similar project at my work. We are rolling a forgot password application. I ended up just doing an Invoke("SetPassword", "[randomString]") and saved the random string for the Invoke("ChangePassword","[randomString]","[user supplied pw]"). The result of the ChangePassword was returned to the user.

SetPassword does not check for password complexity or history rules. It is the same as right clicking a user in AD and selecting "Reset Password." ChangePassword however, does check for password history requirements.

Answer 2

The complexity policy is that it must contain three out of five of these types:

• Upper case letters
• Lower case letters
• Digits
• Non-alphanumeric characters: ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
• Unicode characters that are alphabetics but not uppercase or lowercase.

It also can't be the sAMAccountName or displayName (or parts of). You can read about it here. The other password policy rules are in adjacent documents.

You could try setting it and catch exceptions but from memory I don't think it tells you what's wrong with the password, just that it doesn't meet the requirements.