3.1.5.1.6 Common Processing for Group, Alias, and User

  • Article

This section specifies the message processing for SamrOpenGroup (section 3.1.5.1.7), SamrOpenAlias (section 3.1.5.1.8), and SamrOpenUser (section 3.1.5.1.9). Each one of these methods specifies the following "input" parameters for this common processing:

  • Target-Rid: A RID input parameter from the message.

  • Target-Object-Type: The intended object type to be opened.

  • Generic-Access-Mask-Mapping-Table: A mapping from a generic access (for example, GENERIC_READ) to a specific mapping (for example, DOMAIN_READ for domain objects).

  • Desired-Access-Mapping-Table: A table that maps access masks specific to this protocol to object ACE values. An example access mask specific to this protocol is USER_READ (section 2.2.1.7).

  • Output-Handle: An RPC context handle returned to the client that represents the object that is requested to be opened.

Upon receiving this message, the server MUST process the data from the message subject to the following constraints:

  1. The server MUST return an error if DomainHandle.HandleType (DomainHandle is an input parameter from the method) is not equal to "Domain".

  2. DomainHandle.GrantedAccess MUST have the required access specified in section 3.1.2.2. Otherwise, the server MUST return STATUS_ACCESS_DENIED.

  3. The server MUST translate the bits in DesiredAccess according to the Generic-Access-Mask-Mapping-Table.

  4. Let A be the database object, in the domain referenced by DomainHandle.Object, whose objectSid's RID is Target-Rid, and whose database object type is Target-Object-Type. If no such object exists, the server MUST return an error code.

  5. Let GrantedAccess be the union of all bits in the "DesiredAccess" column in the Desired-Access-Mapping-Table, where the client has the specified access (shown in the "Access mask" column) on the ntSecurityDescriptor on Target-Object. A missing value in the "Object ACE type" column means that the access mask applies to the entire object. [MS-ADTS] section 5.1.3.3.3 specifies how to determine the client's access.

  6. If DesiredAccess contains the MAXIMUM_ALLOWED bit, the server MUST create and return a SamContextHandle (section 3.1.1.10) via Output-Handle with its fields initialized as follows:

    • SamContextHandle.HandleType = "User" or "Group" or "Alias", depending on the type of A

    • SamContextHandle.Object = A

    • SamContextHandle.GrantedAccess = GrantedAccess

  7. If DesiredAccess does not contain the MAXIMUM_ALLOWED bit, the following constraint MUST be satisfied:

    1. If DesiredAccess contains bits not in GrantedAccess, the server MUST return STATUS_ACCESS_DENIED. Otherwise, the server MUST create and return a SamContextHandle (section 3.1.1.10) via Output-Handle with its fields initialized as follows:

      • SamContextHandle.HandleType = "User" or "Group" or "Alias", depending on the type of A

      • SamContextHandle.Object = A

      • SamContextHandle.GrantedAccess = DesiredAccess

  8. If any processing error occurred, the server MUST return that error. Otherwise, the server MUST return STATUS_SUCCESS to the client.