AccountPolicy: Query/Set NT User Account Policy

Note

This tool is obsolete with NT4.0. You can do most of this using the NET ACCOUNTS command and some undocumented options. For more info see Microsoft Knowledge Base article Q194739.

I don't think that NT3.51 and below has this but I no longer have a machine handy to check.

Download

Download AccountPolicy V0.3 Executable and source (20k). Fixes "lockduration forever" bug and makes parameters case insensitive (the documentation implied they are, but they actually weren't).
Download AccountPolicy V0.2 Executable and source (29k)

Description

Allows setting of NT's User Account Policy of the local machine from the command line. It is almost functionally equivalent to the "Policy->Account" Menu in the User Manager tool, but is operated from the command line. It can set maximum and minimum password age, minimum password length, password history size, number of login attempts and time between them allowed before lockout, and the length that accounts are locked out.

It can be used by domain logon scripts, at jobs, lockdown scripts and the like.

It has been released under the GNU Public License (GPL).


Usage

When run without parameters, it will display the current account policy of the local machine. 
usage:  AccountPolicy [-h] [-l] [PwMaxAge n] [PwMinAge n] [PwMinLen n]
        [PwHistory n] [LockAfter n] [LockWindow n] [LockDuration n]

Options

-h       Show help and usage info.
-l       Show license and warranty.

Settable Parameters.

PwMaxAge    Maximum allowable password age before forced change.
PwMinAge    Minimum password age allowed before change permitted.
PwMinLen    Minimum allowable password length (characters)
PwHistory       Number of unique passwords remembered.
LockAfter       Number of failed login attempts allowed before locking account.
LockWindow      Period until failed login count reset.
LockDuration    Duration of account lockout.
Each parameter is specified in units appropriate for the parameter being set. You can force the use of diffent units, however this will generate a warning and may prevent the policy from being changed.

Available units are ([S]econds [M]inutes [H]ours [D]ays and [W]eeks) and are appended to the number.

Minimum age and Maximum Age are normally specified in days. Lock Window and Lock Duration are normally specfied in minutes.

History

I wrote this for a specific use, but I've just seen another case where it could be useful for me.

Since someone else may find it useful too, and I know of no other program with equivalent functionality, I'm turning it loose.

Bugs

None known, however this software hasn't seen much use and so should be considered of BETA quality.

The command-line parsing is not as good as it could be.

Not exactly a bug, but you can specify inappropriate units (such as a maximum password age of 5 seconds) which, while not exactly invalid, are likely to be extremely irritating in practice. You will get a warning, but if you asked for it, you got it.

Future

While the NetUser* API's support changing the policies on remote machines via NetBIOS, this program does not currently support this.

The option "User must log in to change password" that is present in User Administrator is not supported (It doesn't seem to be in the NetUser API's anywhere...)

Valid HTML 4.01!

Page last modified: $Date: 2022-05-25 $