3.2.4.29.4 Computer Account Update over SAMR

  • Article

This task accepts as input the following:

  • DomainController: the name of the domain controller on which to update the computer account.

  • CurrentSamAccountName: the SAM account name of the computer.

  • NewSamAccountName: the new SAM account name of the computer.

  • DomainAccount: the domain account to be used for accessing computer account object in the directory service.

  • DomainAccountPassword: the password that matches DomainAccount.

The following definitions are used in the specification of message processing that follows:

  • LocalSMBSession: Contains the SMB state for the SMB/CIFS session established to the domain controller.

  • LocalServerHandle: Contains the RPC context handle representing a SAM RPC server object.

  • LocalDomainHandle: Contains the RPC context handle representing a domain object.

  • LocalUserHandle: Contains the RPC context handle representing a user object.

This task executes as follows:

  1. The server MUST establish an authenticated (2) SMB/CIFS session to the IPC$ share on the DomainController domain controller by invoking [MS-CIFS] section 3.4.4.7, specifying the following parameters:

    • ServerName = DomainController

    • UserCredentials = DomainAccount \ DomainAccountPassword

      Upon success, the server MUST store the result in LocalSMBSession.

  2. The server MUST update the SAM account name with NewSamAccountName using the following steps:

    1. The server MUST bind to the named pipe endpoint \PIPE\samr, as shown in [MS-SAMR] section 2.1.

    2. The server MUST connect to the SAM RPC server on the domain controller using one of the SamrConnect variants. See [MS-SAMR] section 1.7.2 for details about invoking the SamrConnect variants in order to determine the version and method supported by the RPC server. See [MS-SAMR] section 3.1.5.1 for using the Open pattern in the SAM interface.

      • ServerName = DomainController

      • DesiredAccess = GENERIC_ALL

        Upon success, the server MUST store the result in LocalServerHandle.

    3. The server MUST call SamrLookupDomainInSamServer ([MS-SAMR] section 3.1.5.11.1) to retrieve LocalDomainSID specifying the following parameters:

      • ServerHandle = LocalServerHandle

      • Name = the name of the local machine

    4. The server MUST call SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5) specifying the following parameters:

      • DesiredAccess = GENERIC_ALL

      • DomainId = the domain security identifier (SID) obtained from prior step

        Upon success, the server MUST store the result in LocalDomainHandle.

    5. The server MUST call SamrLookupNamesInDomain ([MS-SAMR] section 3.1.5.11.2) specifying the following parameters:

      • DomainHandle = LocalDomainHandle

      • Names = CurrentSamAccountName

    6. The server MUST call SamrOpenUser ([MS-SAMR] section 3.1.5.1.9) to obtain a handle to the computer account specifying the following parameters:

      • DomainHandle = the domain handle obtained from step 5

      • DesiredAccess = 0x0

      • UserId = the relative ID obtained from prior step

        Upon success, the server MUST store the result in LocalUserHandle.

    7. The server MUST call SamrSetInformationUser ([MS-SAMR] section 3.1.5.6.5) specifying the following parameters:

      • UserHandle = LocalUserHandle

      • UserInformationClass = UserAllInformation ([MS-SAMR] section 2.2.6.28)

      • Buffer = a buffer of type SAMPR_USER_ALL_INFORMATION that contains NewSamAccountName. See [MS-SAMR] section 2.2.6.6 for structure details.

    8. Regardless of whether an error was encountered in any of the preceding calls, any SAM RPC domain controller handles opened MUST be closed using SamrCloseHandle method ([MS-SAMR] section 3.1.5.13.1).

  3. The server MUST disconnect the SMB/CIFS session ([MS-CIFS] section 3.2.4.24), specifying LocalSMBSession.