Directory Programming .NET

Hi,

Through code is it possible to know domain joined by ADAM ? I mean what is the attribute in ADAM schema which keeps this information and how to get that?

Also how to get the security policy enforced into ADAM, like maxPwdAge, etc? I am able to get this security policy from domain but just wondering if it ispossible to get through ADAM. Also if ADAM is not part of any domain then it enforces security policy of server on which it is running, how do I get that?

Appreciate for your time.

Thanks

v 

I'm not sure if the ADAM database stores info related to whether the machine it is hosted on is domain joined or not.  I think you would need to get this from the machine itself by querying one of the various APIs that can provide this.

The password policy in effect (unfortunately) cannot be queried from ADAM as ADAM defers to OS level calls for password policy enforcement.  I assume you have to use some sort of LSA Policy API to get this information from the local machine, but I don't know exactly what API that is.

The policy in effect could either be set locally or applied through a GPO, although I don't know how you would determine that either.  It probably isn't important where it came from but instead more important to know what it is.

This is one of my biggest grips with ADAM.  It really should support is own password policy mechanism with mulitple policies like AD 2008 now supports.

Thanks Joe.

I agree that ADAM should support its own password policy mechanism.

As you said I am not very concerned from where policy came from but what it is. Right now I getting these policies from domain for domain user. But there could be possiblity that client may not have domain or may not want to join our server as a member of their domain. In that case we create workgroup and setup securiyt policy on server on which ADAM is running. So is there a way I can get this policy from ADAM? Or do I have to call server api's to get the policy? (if you know those api's let me know)

Also if I set ADAMDisablePasswordPolicies flag to 1 does it mean ADAM won't force any password policies on ADAM users?

Thanks

V

You would need some sort of server API call to get the local policy.  I just don't know what that is.  I'm guessing it is one of the LsaPolicyXXX calls, but I don't really know.

Setting that attribute should disable enforcement of password policy stuff.  That is often a good idea anyway since lockout and password expiration are often very difficult to manage at the application level.