1 Introduction

The Local Security Authority (Domain Policy) Remote Protocol is used to manage various machine and domain security policies. All versions of Windows NT operating system–based products, in all configurations, implement and listen on the server side of this protocol. However, not all operations are meaningful in all configurations.

This protocol, with minor exceptions, enables remote policy-management scenarios. Therefore, the majority of this interface does not need to be implemented to achieve Windows client-to-server (domain controller configuration and otherwise) interoperability, as defined by the ability for Windows clients to retrieve policy settings from servers.

Policy settings controlled by this protocol relate to the following:

  • Account objects: The rights and privileges that security principals have on the server.

  • Secret objects: Mechanisms that securely store data on the server.

  • Trusted domain objects: Mechanisms that the Windows operating system uses for describing trust relationships between domains and forests.

  • Other miscellaneous settings, such as lifetimes of Kerberos tickets, states of domain controller (backup or primary), and other unrelated pieces of policy.

All of these types of policy are addressed in sections of this document that specify the server data model.

Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.