Export (0) Print
Expand All

3.1.5.4.4 SamrCreateUser2InDomain (Opnum 50)

The SamrCreateUser2InDomain method creates a user.

long SamrCreateUser2InDomain(
  [in] SAMPR_HANDLE DomainHandle,
  [in] PRPC_UNICODE_STRING Name,
  [in] unsigned long AccountType,
  [in] unsigned long DesiredAccess,
  [out] SAMPR_HANDLE* UserHandle,
  [out] unsigned long* GrantedAccess,
  [out] unsigned long* RelativeId
);

DomainHandle: An RPC context handle, as specified in section 2.2.3.2, representing a domain object.

Name: The value to use as the name of the user. See the message processing shown later in this section for details on how this value maps to the data model.

AccountType: A 32-bit value indicating the type of account to create. See the message processing shown later in this section for possible values.

DesiredAccess: The access requested on the UserHandle on output. See section 2.2.1.7 for a listing of possible values.

UserHandle: An RPC context handle, as specified in section 2.2.3.2.

GrantedAccess: The access granted on UserHandle.

RelativeId: The RID of the newly created user.

This protocol asks the RPC runtime, via the strict_context_handle attribute, to reject the use of context handles created by a method of a different RPC interface than this one, as specified in [MS-RPCE] section 3.

Upon receiving this message, the server MUST process the data from the message subject to the following constraints:

  1. The server MUST return an error if DomainHandle.HandleType is not equal to "Domain".

  2. DomainHandle.GrantedAccess MUST have the required access specified in section 3.1.2.1. Otherwise, the server MUST return STATUS_ACCESS_DENIED.

  3. If DomainHandle.Object refers to the built-in domain, the server MUST abort the request and return a failure code.

  4. The AccountType parameter from the message MUST be equal to exactly one value from the following list. If there is no match, an error status MUST be returned.

    • USER_NORMAL_ACCOUNT

    • USER_WORKSTATION_TRUST_ACCOUNT

    • USER_SERVER_TRUST_ACCOUNT

  5. All updates caused by this request MUST be performed in the same transaction.

  6. On successful completion of this method, a new database object MUST be created (subsequent constraints specify attributes for this new object).

  7. The following database attribute MUST be updated from the values provided in the message according to the following table.

    Database attribute

    Message input

    sAMAccountName

    Name

  8. The distinguishedName attribute MUST be updated with a value that conforms to the constraints as specified in section 3.1.5.14.1. Let the term Container-Object be the object with the distinguishedName of the suffix chosen in section 3.1.5.14.1 for the new object. For a computer object, for example, Container-Object is, by default, the object with the distinguishedName CN=Computers,<DN of account domain object>.

  9. The objectClass database attribute MUST be updated with a value determined as follows:

    1. If the AccountType parameter is USER_WORKSTATION_TRUST_ACCOUNT or USER_SERVER_TRUST_ACCOUNT, use computer.

    2. Otherwise, use user.

  10. The client's token MUST be retrieved using the method described in [MS-RPCE] section 3.3.3.4.3.

  11. The userAccountControl attribute MUST be updated with a value from the following table. AccountType is the AccountType parameter from the message.

    AccountType

    userAccountControl

    USER_NORMAL_ACCOUNT

    UF_NORMAL_ACCOUNT | UF_ACCOUNTDISABLE

    USER_WORKSTATION_TRUST_ACCOUNT

    UF_WORKSTATION_TRUST_ACCOUNT | UF_ACCOUNTDISABLE*

    USER_SERVER_TRUST_ACCOUNT

    UF_SERVER_TRUST_ACCOUNT | UF_ACCOUNTDISABLE

    *If all the following conditions hold true, then the userAccountControl attribute MUST be updated only with the UF_WORKSTATION_TRUST_ACCOUNT value.

    • The AccountType parameter is USER_WORKSTATION_TRUST_ACCOUNT.

    • The client does not have the ACTRL_DS_CREATE_CHILD access on the Container-Object object.

    • The RpcImpersonationAccessToken.Privileges[] field has the SE_ MACHINE_ACCOUNT NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1).

  12. The security model for object creation specified in [MS-ADTS] section 5.1.3 MUST NOT be adhered to.

  13. If the client does not have the ACTRL_DS_CREATE_CHILD access right on the Container-Object object and the AccountType parameter is USER_WORKSTATION_TRUST_ACCOUNT, then:

    1. On a DC configuration:

      1. If the RpcImpersonationAccessToken.Privileges[] field does not have the SE_MACHINE_ACCOUNT_NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1), return a processing error.

      2. Else:

        1. Let CallerSid be RpcImpersonationAccessToken.Sids[RpcImpersonationAccessToken.UserIndex].

        2. The number of computer objects in the domain with msDS-creatorSID equal to CallerSid MUST be less than the value of ms-DS-MachineAccountQuota on the account domain object. On error, abort and return a failure code.

        3. msDS-creatorSID MUST be set to CallerSid.

        4. The owner and group of the default security descriptor MUST be the Domain Admins SID for the domain in which the account is created.

    2. On a nonDC configuration:

      • The server MUST abort processing and return STATUS_ACCESS_DENIED.

  14. The return parameter of GrantedAccess MUST be set to DesiredAccess if DesiredAccess contains only valid access masks for the user object (see section 2.2.1.7); otherwise, the request MUST be aborted and STATUS_ACCESS_DENIED MUST be returned. Additionally, on a DC configuration, if the creation occurred because of a privilege (see step 11.a), the returned GrantedAccess MUST be restricted by the intersection of DesiredAccess and the following bits:

    • DELETE

    • USER_WRITE

    • USER_FORCE_PASSWORD_CHANGE

  15. If DesiredAccess contains the ACCESS_SYSTEM_SECURITY bit , the RpcImpersonationAccessToken.Privileges[] field MUST have the SE_SECURITY_NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1). Otherwise, the server MUST abort processing and return STATUS_ACCESS_DENIED.

 
Show:
© 2014 Microsoft