3.1.5.2.5 SamrEnumerateUsersInDomain (Opnum 13)

  • Article

The SamrEnumerateUsersInDomain method enumerates all users.

 long SamrEnumerateUsersInDomain(
   [in] SAMPR_HANDLE DomainHandle,
   [in, out] unsigned long* EnumerationContext,
   [in] unsigned long UserAccountControl,
   [out] PSAMPR_ENUMERATION_BUFFER* Buffer,
   [in] unsigned long PreferedMaximumLength,
   [out] unsigned long* CountReturned
 );

DomainHandle: An RPC context handle, as specified in section 2.2.7.2, representing a domain object.

EnumerationContext: This value is a cookie that the server can use to continue an enumeration on a subsequent call. It is an opaque value to the client. To initiate a new enumeration the client sets EnumerationContext to zero. Otherwise the client sets EnumerationContext to a value returned by a previous call to the method.

UserAccountControl: A filter value to be used on the userAccountControl attribute.

Buffer: A list of user information, as specified in section 2.2.7.10.

PreferedMaximumLength: The requested maximum number of bytes to return in Buffer.

CountReturned: The count of domain elements returned in Buffer.

This protocol asks the RPC runtime, via the strict_context_handle attribute, to reject the use of context handles created by a method of a different RPC interface than this one, as specified in [MS-RPCE] section 3.

This method MUST be processed per the specifications in section 3.1.5.2.2, using the following object selection filter:

  1. The objectClass attribute value MUST be user or derived from user.

  2. The userAccountControl attribute value MUST contain all the bits in the method parameter UserAccountControl.

  3. The objectSid attribute value MUST have the domain prefix of the domain referenced by DomainHandle.

In addition, all of the following constraints MUST be satisfied before the constraints of section 3.1.5.2.2 are satisfied:

  1. If DomainHandle.Object is a reference to the account domain and the configuration is DC, the client MUST have the SAM-Enumerate-Entire-Domain control access right ([MS-ADTS] section 5.1.3.2.1) on the domain's ntSecurityDescriptor attribute value.

  2. The server MUST ignore the UF_LOCKOUT and UF_PASSWORD_EXPIRED bits in the UserAccountControl parameter.