3.1.1.5.2.4 Processing Specifics

  • Article

  • For originating updates, a new objectGUID value is generated and set on the object. This value MUST NOT be the NULL GUID. For replicated updates, the received objectGUID is set on the object.

  • In AD DS, if the object is a security principal (according to its objectClass values), then for originating updates the objectSid value is generated and set on the object (see [MS-SAMR] sections 3.1.1.6 and 3.1.1.9). For replicated updates, the received objectSid is set on the object.

  • In AD LDS, if the object being added is an NC root and not the schema NC root, then it is given an objectSid value, ignoring schema constraints. The objectSid value ([MS-DTYP] section 2.4.2), with one SubAuthority value, is generated using the following algorithm:

    • The IdentifierAuthority value (6 bytes) is generated as follows: the first 2 bytes are zero, the high 4 bits of the third byte are 0001, and the remaining 3.5 bytes (the lower 4 bits of the third byte, and bytes 4, 5 and 6) are randomly generated.

    • The first SubAuthority value (DWORD) is randomly generated.

  • In AD LDS, if the object being added is an AD LDS security principal object (an object that is not an NC root and contains the objectSid attribute), then the objectSid value is generated using the following algorithm, which produces a SID with 5 SubAuthority values:

    • The Revision byte is 1.

    • The SubAuthorityCount is 5.

    • The IdentifierAuthority is set to the same value as the IdentifierAuthority of the SID of the NC root.

    • The first SubAuthority is set to the same value as the first SubAuthority of the SID of the NC root.

    • A randomly generated GUID value (16 bytes or 4 DWORDs) is taken as second, third, fourth, and fifth SubAuthority values of the new SID value. This GUID value is unrelated to the objectGUID value that is also generated randomly for the object being added. This GUID MUST NOT be the NULL GUID.

  • In AD LDS, if a group object is being created (that is, an object containing the value group in its objectClass), and the groupType attribute is not specified, then the following value is assigned to groupType: GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED.

  • In AD LDS, if an AD LDS user is being created, and the password value (either unicodePwd or userPassword) was not supplied, then the password value is defaulted to an empty string.

  • In AD LDS, if an AD LDS user is being created, and the password value is defaulted and does not satisfy the password policy in effect on the AD LDS server (as reported by SamrValidatePassword, [MS-SAMR] section 3.1.5.13.7), then the user is created in the disabled state; that is, msDS-UserAccountDisabled = TRUE. However, if the Add operation specifies the msDS-UserAccountDisabled attribute with the value of FALSE, the add returns constraintViolation / ERROR_PASSWORD_RESTRICTION. This processing rule is not effective if the LDAP policy ADAMDisablePasswordPolicies is equal to 1.

  • In AD LDS, if an AD LDS user is being created, then badPwdCount and badPasswordTime values are set to zero.

  • The nTSecurityDescriptor value is computed and set on the object (see section 6.1.3 for more details).

  • Any values specified for attributes that are marked as constructed in the schema are ignored, with one exception: the entryTTL attribute.

  • If the value of the entryTTL attribute is specified in the Add request, it is processed as follows:

    • If the value of the entryTTL attribute is less than the DynamicObjectMinTTL LDAP setting, then the entryTTL attribute is set to the value of the DynamicObjectMinTTL setting.

    • The current system time, plus the entryTTL attribute interpreted as seconds, is written into the msDS-Entry-Time-To-Die attribute.

  • If dynamicObject is present among objectClass values, but neither entryTTL nor msDS-Entry-Time-To-Die were specified in an originating update, then Add proceeds as if the value of the DynamicObjectDefaultTTL LDAP policy had been specified as the value of the entryTTL attribute.

  • Any values specified by the requester for the following attributes are ignored: distinguishedName, subRefs, uSNLastObjRem, uSNDSALastObjRemoved, uSNCreated, replPropertyMetaData, isDeleted, proxiedObjectName.

  • For an originating update, any value specified for the whenCreated attribute is ignored and its value is set to the current time according to the system clock on this DC.

  • If a value of the systemFlags attribute is specified by the requester, the DC removes any flags not listed below from the systemFlags value before storing it on the new object:

    • FLAG_CONFIG_ALLOW_RENAME

    • FLAG_CONFIG_ALLOW_MOVE

    • FLAG_CONFIG_ALLOW_LIMITED_MOVE

    • FLAG_ATTR_IS_RDN (removed unless the object is an attributeSchema object)

  • For the following scenarios, the DC sets additional bits in the systemFlags value of the object created:

    • server objects: FLAG_DISALLOW_MOVE_ON_DELETE, FLAG_CONFIG_ALLOW_RENAME, and FLAG_CONFIG_ALLOW_LIMITED_MOVE.

    • serversContainer and nTDSDSA objects: FLAG_DISALLOW_MOVE_ON_DELETE.

    • site object: FLAG_DISALLOW_MOVE_ON_DELETE and FLAG_CONFIG_ALLOW_RENAME.

    • siteLink, siteLinkBridge, and nTDSConnection objects: FLAG_CONFIG_ALLOW_RENAME.

    • Any object that is not mentioned above and whose parent is the Subnets Container (section 6.1.1.2.2.2): FLAG_CONFIG_ALLOW_RENAME.

    • Any object that is not mentioned above and whose parent is the Sites Container (section 6.1.1.2.2) except the Subnets Container (section 6.1.1.2.2.2) and the Inter-Site-Transports Container (section 6.1.1.2.2.3): FLAG_CONFIG_ALLOW_RENAME.

  • If a value for the objectCategory attribute was not specified by the requester, then it is defaulted to the current value of the defaultObjectCategory attribute on the classSchema object corresponding to the 88 object class or the most specific structural object class of the object being added.

  • The complete inheritance chain of object classes (starting from the most specific structural object class or 88 object class as well as from all dynamic auxiliary classes specified by the user) is computed and set. The correct ordering of objectClass values is performed (see section 3.1.1.2.4.3 for more details).

  • The value of instanceType attribute is written. For originating updates of regular objects, it is IT_WRITE. For NC root object specifics, see NC-Add Operation (section 3.1.1.5.2.8). For replicated updates, the instanceType value computed by the IDL_DRSGetNCChanges client is written.

  • distinguishedName attribute is written, matching the DN value of the supplied object.

  • The RDN attribute of the correct attribute type is written, as computed from the DN value of the supplied object.

  • If the showInAdvancedViewOnly value was not provided by the requester and the defaultHidingValue of the objectClass is TRUE, then the showInAdvancedViewOnly attribute value is set to TRUE.

  • If the Add assigns a value to an FPO-enabled attribute (section 3.1.1.5.2.3) of the new object, and the DN value in the add request has <SID=stringizedSid> format (section 3.1.1.3.1.2.4), then the DC creates a corresponding foreignSecurityPrincipal object in the ForeignSecurityPrincipals container (section 6.1.1.4.10) and assigns a reference to the new foreignSecurityPrincipal object as the FPO-enabled attribute value. [MS-SAMR] section 3.1.1.8.9 specifies the creation of the foreignSecurityPrincipal object.

  • If attributeSchema or classSchema object is created in schema NC, then apply special processing as described in section 3.1.1.2.5.

  • If an infrastructureUpdate object is created, then let O be the object that is created. If (O!dNReferenceUpdate has a value), then for each object P in each NC replica on the server, do the following:

    • Let S be the set of all attributes of P with attribute syntax Object(DS-DN), Object(DN-String), Object(DN-Binary), Object(OR-Name), or Object(Access-Point).

    • For each attribute A in set S and for each value V of A, do the following:

      • If the attribute syntax of A is Object(DS-DN), then let G be P.A.guid_value.

      • Otherwise, let G be P.A.V.object_DN.guid_value.

      • Let RG be O!dNReferenceUpdate.guid_value.

      • Let RD be O!dNReferenceUpdate.dn.

      • If (RG = G), then delete V from P.A.

      • If (RG = G) and A is not a link value attribute, then add attribute value of O!dNReferenceUpdate to P.A

      • If (RG = G) and A is a link value attribute and RDN of RD is not a delete-mangled RDN (see section 3.1.1.5.5), then add value of O!dNReferenceUpdate to P.A.

      • If (RG = G) and A is a link value attribute and RDN of RD is a delete-mangled RDN (see section 3.1.1.5.5) and the Recycle Bin optional feature is enabled (see section 3.1.1.9.1), then add the value of O!dNReferenceUpdate to P.A. However, this value is to be treated as a linked value to or from a deleted-object. That is, the value is not generally visible to LDAP clients unless the LDAP_SHOW_DEACTIVATED_LINK_OID control is used.

  • If a crossRef object is being created, the server MUST return ERROR_DS_ROLE_NOT_VERIFIED if the IsEffectiveRoleOwner(RoleObject(Config NC, DomainNamingMasterRole)) function specified in section 3.1.1.5.1.8 returns FALSE.