How can you test if an AD password will meet configured complexity requirements?

Question

In a net 3.5 csharp application I need to know in advance if an AD password will meet configured complexity requirements.
How can you do that?

Answer 1

If you want to fetch the requirements from AD, then the links in @Leniel Macaferi's answer should help.

If you already know the expected requirements and your app is accepting the proposed password as a string, you can make the tests yourself. Some common requirements and ways to calculate them include:

• Minimum length: it's easy to check the length of the string
• Complexity: common requirements would be "at least three from this list: lowercase, uppercase, numbers, characters", so you want to create a counter, then use a regex to test if each condition matches and increment the counter for each one. So, for example, your regexes would be like [a-z], [A-Z], [0-9], [~!@#$%^&*()-_\+=<,>\.\?\/]; for each one that matches, add 1 to your counter. If the count at the end is less than your requirements, the password fails. (You could even be extra nice to the user and suggest one of the categories they missed, if you kept boolean variables for the categories they used and didn't use.)
• Easy guesses: You can create your own equality test to ensure that the user isn't picking a password that matches their username or other banned passwords.
• Recently-used passwords: Um, this one isn't so easy... you can't really figure it out without help from Active Directory.

Answer 2

These links may point you in the right track:

Change user password in ADS and check the domain password policy (C#)?

User Management with Active Directory—Managing Passwords for ADAM Users

Determining Domain-Wide Account Policies (this one appears to have what you need)