7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Server 2003 for Small Business Server 2003

  • Windows Server 2003 R2 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 2.1: By default, the "\PIPE\lsarpc" endpoint allows anonymous access on Windows NT 3.1 operating system, Windows NT 3.5 operating system, Windows NT 3.51 operating system, Windows NT 4.0 operating system, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista RTM. Anonymous access to this pipe is removed by default on Windows Vista operating system with Service Pack 1 (SP1), Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 in both the non-domain controller configuration and the read-only domain controller configuration. The pipe access check happens before any other access check; therefore, it overrides any other access.

<2> Section 2.1: Windows implementations of the client and server role for this protocol use the tamper-resistance functionality provided by SMB transport on the products that are available, and are enabled as specified in [MS-SMB] section 3.1.1.1 (the MessageSigningPolicy parameter), and [MS-SMB2] section 3.1.1.1 (the RequireMessageSigning parameter).

<3> Section 2.1: If an implementation of the client role violates this specification and uses the RPC-provided security-support-provider mechanism for the RPC connection to a Windows implementation, Windows processes all messages as specified in section 3.1 (that is, there is no change in message processing behavior), except for the messages that use encryption specified in section 5.1. During encryption and decryption, Windows implementations for the server role use a hard-coded key instead of the SMB transport–provided session key. The hard-coded key is represented below as bytes in hexadecimal form.

"53 79 73 74 65 6d 4c 69-62 72 61 72 79 44 54 43"

<4> Section 2.1: The Windows implementation of the server role for this protocol supports the RPC-provided security-support-provider mechanisms, as specified in [MS-RPCE] section 3.2.1.4.1. The following security-support providers are registered by the responder.

Windows version

Security support provider registered

Windows NT, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10

RPC_C_AUTHN_WINNT

Windows 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016

RPC_C_AUTHN_WINNT

On the domain controllers the following are also supported:

RPC_C_AUTHN_GSS_KERBEROS

RPC_C_AUTHN_GSS_NEGOTIATE

<5> Section 2.1: Servers running Windows 2000, Windows XP, and Windows Server 2003 accept calls at any authentication level. Without [MSKB-3149090] installed, servers running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 v1507 operating system, or Windows 10 v1511 operating system also accept calls at any authentication level.

<6> Section 2.1: The server implementation of this protocol in Windows 2000 Server operating system, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 places a limit of 1 MB on the packets received. The limit in Windows XP and Windows Server 2003 is 4 MB.

<7> Section 2.2: Data type fields that are described as "Reserved" or "MUST be ignored" are sent as 0 (or NULL in the case of pointers) by Windows client implementations, and are ignored upon receipt by Windows Server operating system implementations.

<8> Section 2.2: The following table is a timeline of when each structure, data type, or enumeration was introduced. All structures, data types, and enumerations listed in the table continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

Data type

Product

LSAPR_HANDLE (section 2.2.2.1)

Windows NT 3.1

STRING (section 2.2.3.1)

Windows NT 3.1

LSAPR_ACL (section 2.2.3.2)

Windows NT 3.1

SECURITY_DESCRIPTOR_CONTROL (section 2.2.3.3)

Windows NT 3.1

LSAPR_SECURITY_DESCRIPTOR (section 2.2.3.4)

Windows NT 3.1

SECURITY_IMPERSONATION_LEVEL (section 2.2.3.5)

Windows NT 3.1

SECURITY_CONTEXT_TRACKING_MODE (section 2.2.3.6)

Windows NT 3.1

SECURITY_QUALITY_OF_SERVICE (section 2.2.3.7)

Windows NT 3.1

LSAPR_OBJECT_ATTRIBUTES (section 2.2.2.4)

Windows NT 3.1

ACCESS_MASK (section 2.2.1.1)

Windows NT 3.1

SECURITY_INFORMATION (section 2.2.1.3)

Windows NT 3.1

LSAPR_POLICY_PRIVILEGE_DEF (section 2.2.8.1)

Windows NT 3.1

LSAPR_PRIVILEGE_ENUM_BUFFER (section 2.2.8.2)

Windows NT 3.1

LSAPR_ACCOUNT_INFORMATION (section 2.2.5.1)

Windows NT 3.1

LSAPR_ACCOUNT_ENUM_BUFFER (section 2.2.5.2)

Windows NT 3.1

POLICY_SYSTEM_ACCESS_CODE (section 2.2.1.2)

Windows NT 3.1

LSA_UNICODE_STRING (section 2.2.2.3)

Windows NT 3.1

LSAPR_TRUST_INFORMATION (section 2.2.7.1)

Windows NT 3.1

LSAPR_TRUSTED_DOMAIN_INFORMATION_BASIC (section 2.2.7.8)

Windows NT 3.1

LSAPR_SR_SECURITY_DESCRIPTOR (section 2.2.2.5)

Windows NT 3.1

POLICY_INFORMATION_CLASS (section 2.2.4.1)

Windows NT 3.1

POLICY_AUDIT_LOG_INFO (section 2.2.4.3)

Windows NT 3.1

LSAPR_POLICY_AUDIT_EVENTS_INFO (section 2.2.4.4)

Windows NT 3.1

LSAPR_POLICY_PRIMARY_DOM_INFO (section 2.2.4.5)

Windows NT 3.1

LSAPR_POLICY_ACCOUNT_DOM_INFO (section 2.2.4.6)

Windows NT 3.1

LSAPR_POLICY_PD_ACCOUNT_INFO (section 2.2.4.7)

Windows NT 3.1

POLICY_LSA_SERVER_ROLE (section 2.2.4.8)

Windows NT 3.1

POLICY_LSA_SERVER_ROLE_INFO (section 2.2.4.9)

Windows NT 3.1

LSAPR_POLICY_REPLICA_SRCE_INFO (section 2.2.4.10)

Windows NT 3.1

POLICY_MODIFICATION_INFO (section 2.2.4.11)

Windows NT 3.1

POLICY_AUDIT_FULL_SET_INFO (section 2.2.4.12)

Windows NT 3.1

POLICY_AUDIT_FULL_QUERY_INFO (section 2.2.4.13)

Windows NT 3.1

LSAPR_POLICY_DNS_DOMAIN_INFO (section 2.2.4.14)

Windows NT 3.1

LSAPR_POLICY_INFORMATION (section 2.2.4.2)

Windows 2000

LSAPR_TRUSTED_ENUM_BUFFER (section 2.2.7.19)

Windows NT 3.1

LSAPR_PRIVILEGE_SET (section 2.2.5.5)

Windows NT 3.1

TRUSTED_INFORMATION_CLASS (section 2.2.7.2)

Windows NT 3.1

LSAPR_TRUSTED_DOMAIN_INFO (section 2.2.7.3)

Windows NT 3.1

LSAPR_TRUSTED_DOMAIN_NAME_INFO (section 2.2.7.4)

Windows NT 3.1

LSAPR_TRUSTED_CONTROLLERS_INFO (section 2.2.7.5)

Windows NT 3.1

TRUSTED_POSIX_OFFSET_INFO (section 2.2.7.6)

Windows NT 3.1

LSAPR_TRUSTED_PASSWORD_INFO (section 2.2.7.7)

Windows NT 3.1

LSAPR_CR_CIPHER_VALUE (section 2.2.6.1)

Windows NT 3.51

LSAPR_USER_RIGHT_SET (section 2.2.5.3)

Windows NT 3.1

POLICY_DOMAIN_INFORMATION_CLASS (section 2.2.4.15)

Windows NT 3.51

LSAPR_POLICY_DOMAIN_INFORMATION (section 2.2.4.16)

Windows 2000

LSAPR_POLICY_DOMAIN_EFS_INFO (section 2.2.4.18)

Windows 2000

LSAPR_DOMAIN_KERBEROS_TICKET_INFO (section 2.2.4.19)

Windows 2000

LSAPR_TRUSTED_DOMAIN_INFORMATION_EX (section 2.2.7.9)

Windows 2000

LSAPR_TRUSTED_DOMAIN_INFORMATION_EX2 (section 2.2.7.10)

Windows 2000

LSAPR_AUTH_INFORMATION (section 2.2.7.17)

Windows XP

LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION (section 2.2.7.11)

Windows 2000

LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16)

Windows 2000

LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL (section 2.2.7.12)

Windows 2000

LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION (section 2.2.7.13)

Windows 2000

LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION_INTERNAL (section 2.2.7.14)

Windows 2000

LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION2 (section 2.2.7.15)

Windows XP

LUID ([MS-DTYP] section 2.3.7)

Windows NT 3.1

TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES (section 2.2.7.18)

Windows Vista

LSAPR_LUID_AND_ATTRIBUTES (section 2.2.5.4)

Windows NT 3.1

LSA_FOREST_TRUST_RECORD_TYPE (section 2.2.7.22)

Windows XP

LSA_FOREST_TRUST_BINARY_DATA (section 2.2.7.23)

Windows XP

LSA_FOREST_TRUST_DOMAIN_INFO (section 2.2.7.24)

Windows XP

LSA_FOREST_TRUST_RECORD (section 2.2.7.21)

Windows XP

LSA_FOREST_TRUST_INFORMATION (section 2.2.7.25)

Windows XP

LSA_FOREST_TRUST_COLLISION_RECORD_TYPE (section 2.2.7.26)

Windows XP

LSA_FOREST_TRUST_COLLISION_RECORD (section 2.2.7.27)

Windows XP

LSA_FOREST_TRUST_COLLISION_INFORMATION (section 2.2.7.28)

Windows XP

<9> Section 2.2.1.1.2: The following is a timeline of when each access mask was introduced. All access masks continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

Value

Product

0x00000000

Windows NT 3.1

POLICY_VIEW_LOCAL_INFORMATION

0x00000001

Windows NT 3.1

POLICY_VIEW_AUDIT_INFORMATION

0x00000002

Windows NT 3.1

POLICY_GET_PRIVATE_INFORMATION

0x00000004

Windows NT 3.1

POLICY_TRUST_ADMIN

0x00000008

Windows NT 3.1

POLICY_CREATE_ACCOUNT

0x00000010

Windows NT 3.1

POLICY_CREATE_SECRET

0x00000020

Windows NT 3.1

POLICY_CREATE_PRIVILEGE

0x00000040

Windows NT 3.1

POLICY_SET_DEFAULT_QUOTA_LIMITS

0x00000080

Windows NT 3.1

POLICY_SET_AUDIT_REQUIREMENTS

0x00000100

Windows NT 3.1

POLICY_AUDIT_LOG_ADMIN

0x00000200

Windows NT 3.1

POLICY_SERVER_ADMIN

0x00000400

Windows NT 3.1

POLICY_LOOKUP_NAMES

0x00000800

Windows NT 3.1

POLICY_NOTIFICATION

0x00001000

Windows 2000

<10> Section 2.2.1.1.5: The following is a timeline of when each access mask was introduced. All access masks continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

Value

Product

TRUSTED_QUERY_DOMAIN_NAME

0x00000001

Windows NT 3.1

TRUSTED_QUERY_CONTROLLERS

0x00000002

Windows NT 3.1

TRUSTED_SET_CONTROLLERS

0x00000004

Windows NT 3.1

TRUSTED_QUERY_POSIX

0x00000008

Windows NT 3.1

TRUSTED_SET_POSIX

0x00000010

Windows NT 3.1

TRUSTED_SET_AUTH

0x00000020

Windows 2000

TRUSTED_QUERY_AUTH

0x00000040

Windows 2000

<11> Section 2.2.1.2: The POLICY_MODE_ALL flag applies to Windows 2000 Server and later versions.

<12> Section 2.2.1.2: The POLICY_MODE_ALL_NT4 flag applies to Windows NT 3.1 through Windows NT 4.0.

<13> Section 2.2.1.2: The following is a timeline of when each mode was introduced. All modes continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

Value

Product

0x00000000

No access

Windows NT 3.1

0x00000001

POLICY_MODE_INTERACTIVE

Windows NT 3.1

0x00000002

POLICY_MODE_NETWORK

Windows NT 3.1

0x00000004

POLICY_MODE_BATCH

Windows NT 3.1

0x00000010

POLICY_MODE_SERVICE

Windows NT 3.1

0x00000020

POLICY_MODE_PROXY

Windows NT 3.1

0x00000040

POLICY_MODE_DENY_INTERACTIVE

Windows 2000

0x00000080

POLICY_MODE_DENY_NETWORK

Windows 2000

0x00000100

POLICY_MODE_DENY_BATCH

Windows 2000

0x00000200

POLICY_MODE_DENY_SERVICE

Windows 2000

0x00000400

POLICY_MODE_REMOTE_INTERACTIVE

Windows XP

0x00000800

POLICY_MODE_DENY_REMOTE_INTERACTIVE

Windows XP

<14> Section 2.2.2.4: The Windows implementation of the RPC client for this protocol leaves this structure to be filled by a higher-layer application and does not verify the structure's contents except for RootDirectory, which must be NULL.

<15> Section 2.2.2.5: In Windows NT, Windows 2000, Windows XP, and Windows XP operating system Service Pack 1 (SP1), the Windows RPC server and RPC client do not enforce restrictions on the Length field of this structure (using the range primitive specified in [MS-RPCE]).

<16> Section 2.2.4.1: The following is a timeline of when each enumeration value was introduced. All enumeration values continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

 Value

 Product

PolicyAuditLogInformation

Windows NT 3.1

PolicyAuditEventsInformation

Windows NT 3.1

PolicyPrimaryDomainInformation

Windows NT 3.1

PolicyPdAccountInformation

Windows NT 3.1

PolicyAccountDomainInformation

Windows NT 3.1

PolicyLsaServerRoleInformation

Windows NT 3.1

PolicyReplicaSourceInformation

Windows NT 3.1

PolicyInformationNotUsedOnWire

Windows NT 3.1

PolicyModificationInformation

Windows NT 3.1

PolicyAuditFullSetInformation

Windows NT 3.1

PolicyAuditFullQueryInformation

Windows NT 3.1

PolicyDnsDomainInformation

Windows 2000

PolicyDnsDomainInformationInt

Windows 2000

PolicyLocalAccountDomainInformation

Windows Vista

<17> Section 2.2.4.4: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the MaximumAuditEventCount field of this structure (using the range primitive, as specified in [MS-RPCE]).

<18> Section 2.2.4.14: The following applies to Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016.

The Windows RPC server always throws an RPC_S_PROCNUM_OUT_OF_RANGE exception for the message processing of LsarQueryInformationPolicy, LsarQueryInformationPolicy2, LsarSetInformationPolicy, and LsarSetInformationPolicy2, if the server is configured to emulate Windows NT 4.0 for PolicyDnsDomainInformation information level.

<19> Section 2.2.4.16: The PolicyDomainQualityOfServiceInformation enumeration value and corresponding POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO structure are parts of LSAPR_POLICY_DOMAIN_INFORMATION only in the Windows 2000 Server implementation of this protocol.

<20> Section 2.2.4.18: Microsoft implementations of the Local Security Authority (Domain Policy) Remote Protocol do not enforce data in EfsBlob to conform to the layout specified in [MS-GPEF] section 2.2.1.2.1.

<21> Section 2.2.5.3: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Entries field of this structure (using the range primitive defined in [MS-RPCE]).

<22> Section 2.2.5.5: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the PrivilegeCount field of this structure (using the range primitive specified in [MS-RPCE]).

<23> Section 2.2.6.1: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Length field of this structure (using the range primitive as specified in [MS-RPCE]).

<24> Section 2.2.6.1: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the MaximumLength field of this structure (using the range primitive defined in [MS-RPCE]).

<25> Section 2.2.7.2: The following is a timeline of when each enumeration value was introduced. All enumeration values continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

Value

Product

TrustedDomainNameInformation

Windows NT 3.1

TrustedControllersInformation

Windows NT 3.1

TrustedPosixOffsetInformation

Windows NT 3.1

TrustedPasswordInformation

Windows NT 3.51

TrustedDomainInformationBasic

Windows 2000

TrustedDomainInformationEx

Windows 2000

TrustedDomainAuthInformation

Windows 2000

TrustedDomainFullInformation

Windows 2000

TrustedDomainAuthInformationInternal

Windows 2000

TrustedDomainFullInformationInternal

Windows 2000

TrustedDomainInformationEx2Internal

Windows XP

TrustedDomainFullInformation2Internal

Windows XP

TrustedDomainSupportedEncryptionTypes

Windows Vista

<26> Section 2.2.7.5: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Entries field of this structure (using the range primitive defined in [MS-RPCE]).

<27> Section 2.2.7.9: The following is a timeline of when each flag value was introduced. Unless otherwise specified, all flag values continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

Possible value

Value

Product

TANT (TRUST_ATTRIBUTE_NON_TRANSITIVE)

0x00000001

Windows 2000.

TAUO (TRUST_ATTRIBUTE_UPLEVEL_ONLY)

0x00000002

Windows 2000.

TAQD (TRUST_ATTRIBUTE_QUARANTINED_DOMAIN)

0x00000004

Windows 2000 operating system Service Pack 2 (SP2) and Windows XP.

TAFT (TRUST_ATTRIBUTE_FOREST_TRANSITIVE)

0x00000008

Windows Server 2003.

TACO (TRUST_ATTRIBUTE_CROSS_ORGANIZATION)

0x00000010

Windows Server 2003.

TAWF (TRUST_ATTRIBUTE_WITHIN_FOREST)

0x00000020

Windows Server 2003.

TATE (TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL)

0x00000040

Windows Server 2003.

TANC (TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION)

0x00000200

Windows Server 2012 operating system

TAPT (TRUST_ATTRIBUTE_PIM_TRUST)

0x00000400

Windows Server 2016

Obsolete

0x00400000

Introduced in Windows 2000 RTM. Became obsolete in Windows 2000 operating system Service Pack 4 (SP4).

Obsolete

0x00800000

Introduced in Windows 2000 RTM. Became obsolete in Windows 2000 SP4.

<28> Section 2.2.7.11: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008, the Windows RPC server and RPC client do not enforce restrictions on the IncomingAuthInfos field of this structure (using the range primitive defined in [MS-RPCE]).

<29> Section 2.2.7.11: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008, the Windows RPC server and RPC client do not enforce restrictions on the OutgoingAuthInfos field of this structure (using the range primitive defined in [MS-RPCE]).

<30> Section 2.2.7.16: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the AuthSize field of this structure (using the range primitive defined in [MS-RPCE]).

<31> Section 2.2.7.17: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the AuthInfoLength field of this structure (using the range primitive defined in [MS-RPCE]).

<32> Section 2.2.7.23: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Length field of this structure (using the range primitive defined in [MS-RPCE]).

<33> Section 2.2.7.25: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the RecordCount field of this structure (using the range primitive defined in [MS-RPCE]).

<34> Section 3.1.1.1: A Windows responder for this protocol contains the following values for the policy object after setup.

Name

Value

Auditing Log Information

Windows maintains the following hard-coded information about the state of the audit log:

MaximumLogSize = 8192

AuditLogPercentFull = 0

AuditRetentionPeriod = 8533315

AuditLogFullShutdownInProgress = FALSE

TimeToShutdown = 288342

NextAuditRecordId = 0

Audit Full Information

Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 return STATUS_INVALID_PARAMETER for this information class.

Event Auditing Options

On Windows 2000 and Windows XP:

AuditingMode = FALSE

MaximumAuditEventCount = 9

EventAuditingOptions = { 0, 0, 0, 0, 0, 0, 0, 0, 0 }

 On Windows Server 2003 and Windows Server 2003 R2:

AuditingMode = TRUE

 MaximumAuditEventCount = 9

 EventAuditingOptions = { 0, 1, 0, 0, 0, 0, 0, 0, 1 }

 On Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016:

 AuditingMode = TRUE

MaximumAuditEventCount = 9

 EventAuditingOptions = { 0, 0, 0, 0, 0, 0, 0, 0, 0 }

Primary Domain Information

Name = <Workgroup Name>

 Sid = NULL

DNS Domain Information

Name = <Workgroup Name>

 DnsDomainName = <Empty String>

 DnsForestName = <Empty String>

 DomainGuid = { 0 }

 Sid = NULL

Account Domain Information

DomainName = <Machine Netbios name> DomainSid = < S-1-5-21-X-Y-Z> where X, Y, Z are random numbers

Server Role Information

LsaServerRole = PolicyServerRolePrimary

Replica Source Information

ReplicaSource=<Empty String>

ReplicaAccountName=<Empty String>

Kerberos Policy Information

<No value>

Encrypting File System (EFS) Policy Information

<No value>

Security Descriptor

The security descriptor in Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, Windows NT 4.0, and Windows 2000 can be expressed in Security Description Definition Language (SDDL), as specified in [MS-DTYP] section 2.5.1, as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)

In Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016, the security descriptor can be expressed in SDDL as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS)(A;;0x00001000;;;NS)

In Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10, the security descriptor can be expressed in SDDL as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS)(A;;0x00001000;;;NS)(A;;0x00001000;;;S-1-5-17)

See sections 2.2.1.1.1 and 2.2.1.1.2 for the definitions of the generic and object-specific access rights, respectively, that are included in these security descriptors.

<35> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 do not store this information.

<36> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 do not store this information.

<37> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 do not store this information.

<38> Section 3.1.1.1: Only the Windows 2000 implementation of this protocol stores quality of service information.

<39> Section 3.1.1.1: The security descriptor in Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, Windows NT 4.0, and Windows 2000 can be expressed in Security Description Definition Language (SDDL), as specified in [MS-DTYP] section 2.5.1, as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)

In Windows XP, Windows Server 2003, and Windows Server 2003 R2, the security descriptor can be expressed in SDDL as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS) (A;;0x00001000;;;NS)

In Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016, the security descriptor can be expressed in SDDL as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS) (A;;0x00001000;;;NS) (A;;0x00001000;;;S-1-5-17)

See sections 2.2.1.1.1 and 2.2.1.1.2 for the definitions of the generic and object-specific access rights, respectively, that are included in these security descriptors.

<40> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 domain controllers use the Netlogon Remote Protocol, as specified in [MS-NRPC] section 1.3.3, to converge Event Auditing Options abstract data. These versions of Windows do not implement Kerberos Policy Information abstract data.

Windows 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 domain controllers use the Group Policy: Security Protocol Extension, as specified in [MS-GPSB] section 2.2.2 to converge Kerberos Policy Information abstract data and [MS-GPSB] section 2.2.4 to converge Event Auditing Options abstract data.

<41> Section 3.1.1.2.1: The following is a timeline of when each privilege value was introduced. All privilege values continue to be supported in all subsequent versions of Windows according to the applicability list at the beginning of this section.

 Name

 Product

SE_ASSIGNPRIMARYTOKEN_NAME

"SeAssignPrimaryTokenPrivilege"

Windows NT 3.1

SE_AUDIT_NAME

"SeAuditPrivilege"

Windows NT 3.1

SE_BACKUP_NAME

"SeBackupPrivilege"

Windows NT 3.1

SE_CHANGE_NOTIFY_NAME

"SeChangeNotifyPrivilege"

Windows NT 3.1

SE_CREATE_GLOBAL_NAME

"SeCreateGlobalPrivilege"

Windows 2000 SP4, Windows XP operating system Service Pack 2 (SP2), and Windows Server 2003

SE_CREATE_PAGEFILE_NAME

"SeCreatePagefilePrivilege"

Windows NT 3.1

SE_CREATE_PERMANENT_NAME

"SeCreatePermanentPrivilege"

Windows NT 3.1

SE_CREATE_TOKEN_NAME

"SeCreateTokenPrivilege"

Windows NT 3.1

SE_DEBUG_NAME

"SeDebugPrivilege"

Windows NT 3.1

SE_ENABLE_DELEGATION_NAME

"SeEnableDelegationPrivilege"

Windows 2000

SE_IMPERSONATE_NAME

"SeImpersonatePrivilege"

Windows 2000 SP4, Windows XP SP2, and Windows Server 2003

SE_INC_BASE_PRIORITY_NAME

"SeIncreaseBasePriorityPrivilege"

Windows NT 3.1

SE_INCREASE_QUOTA_NAME

"SeIncreaseQuotaPrivilege"

Windows NT 3.1

SE_LOAD_DRIVER_NAME

"SeLoadDriverPrivilege"

Windows NT 3.1

SE_LOCK_MEMORY_NAME

"SeLockMemoryPrivilege"

Windows NT 3.1

SE_MACHINE_ACCOUNT_NAME

"SeMachineAccountPrivilege"

Windows NT 3.5

SE_MANAGE_VOLUME_NAME

"SeManageVolumePrivilege"

Windows 2000 SP4 and Windows XP

SE_PROF_SINGLE_PROCESS_NAME

"SeProfileSingleProcessPrivilege"

Windows NT 3.1

SE_REMOTE_SHUTDOWN_NAME

"SeRemoteShutdownPrivilege"

Windows NT 3.1

SE_RESTORE_NAME

"SeRestorePrivilege"

Windows NT 3.1

SE_SECURITY_NAME

"SeSecurityPrivilege"

Windows NT 3.1

SE_SHUTDOWN_NAME

"SeShutdownPrivilege"

Windows NT 3.1

SE_SYNC_AGENT_NAME

"SeSyncAgentPrivilege"

Windows 2000

SE_SYSTEM_ENVIRONMENT_NAME

"SeSystemEnvironment"

Windows NT 3.1

SE_SYSTEM_PROFILE_NAME

"SeSystemProfilePrivilege"

Windows NT 3.1

SE_SYSTEMTIME_NAME

"SeSystemtimePrivilege"

Windows NT 3.1

SE_TAKE_OWNERSHIP_NAME

"SeTakeOwnershipPrivilege"

Windows NT 3.1

SE_TCB_NAME

"SeTcbPrivilege"

Windows NT 3.1

SE_UNDOCK_NAME

"SeUndockPrivilege"

Windows NT 3.1

SE_CREATE_SYMBOLIC_LINK_NAME "SeCreateSymbolicLinkPrivilege"

Windows Vista

SE_INC_WORKING_SET_NAME "SeIncreaseWorkingSetPrivilege"

Windows Vista

SE_RELABEL_NAME

"SeRelabelPrivilege"

Windows Vista

SE_TIME_ZONE_NAME "SeTimeZonePrivilege"

Windows Vista

SE_TRUSTED_CREDMAN_ACCESS_NAME "SeTrustedCredManAccessPrivilege"

Windows Vista

<42> Section 3.1.1.2.2: Windows products implement the exact set of system access rights that the protocol supports for a given version. See the Windows Behavior note in section 2.2.1.2 for a timeline of the system access introduction.

<43> Section 3.1.1.3: The default security descriptor that is assigned to newly created account objects can be expressed in Security Description Definition Language (SDDL) as O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD).

See section 2.2.1.1.1 for the definitions of the generic access rights that are included in this security descriptor.

<44> Section 3.1.1.3: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 domain controllers use the Netlogon Remote Protocol, as specified in [MS-NRPC] section 1.3.3.

Windows 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 domain controllers use the Group Policy: Security Protocol Extension, as specified in [MS-GPSB] section 2.2.6.

<45> Section 3.1.1.4: The following is a timeline of when each secret name or name pattern was introduced. All secret names and name patterns continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

Secret name or name pattern

Product

Starts with "G$$"

Windows NT 3.1 operating system

Starts with "G$"

Windows NT 3.1

Starts with "L$"

Windows 2000

Starts with "M$"

Windows 2000

Starts with "_sc_"

Windows 2000

Starts with "NL$"

Windows 2000

Starts with "RasDialParams"

Windows 2000

Starts with "RasCredentials"

Windows 2000

Equal to "$MACHINE.ACC"

Windows NT 3.1

Equal to "SAC"

Windows 2000

Equal to "SAI"

Windows 2000

Equal to "SANSC"

Windows 2000

The Trusted Domain Secret type is used only in Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0.

For replication of secrets, Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 use Netlogon-based replication; while Windows 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 use Active Directory replication.

<46> Section 3.1.1.4: By default, the security descriptor assigned to newly created secret objects of type Local Secret can be expressed in Security Description Definition Language (SDDL) as O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD). This security descriptor implies that the secrets are shared between users by default, which means that a secret object created by an administrator is available to another administrator. An implementation can choose to not allow this behavior by assigning a different security descriptor.

See section 2.2.1.1.1 for the definitions of the generic access rights that are included in this security descriptor.

<47> Section 3.1.1.5: The following is a timeline of when each information value was introduced. All information values continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

 Name

 Product

Name

Windows NT 3.1

Flat Name

Windows 2000

Security Identifier

Windows NT 3.1

Trust Type

Windows 2000

Trust Direction

Windows 2000

Trust Attributes

Windows 2000

Posix Offset

Windows NT 3.1

Trust Incoming Passwords

Windows NT 3.51

Trust Outgoing Passwords

Windows NT 3.51

Forest Trust Information

Windows Server 2003

Supported Encryption Types

Windows Vista

Security Descriptor

Windows NT 3.1

<48> Section 3.1.1.6.1: The default setting value is FALSE for Windows NT, Windows 2000, and Windows XP. The default setting value is TRUE for Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016.

This setting can be set to FALSE on Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 by setting a "non-0" value on the following REG_DWORD registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock

Changes made to this setting must take effect immediately.

Note that the Boolean meaning of the TurnOffAnonymousBlock registry value is reversed from that of the LsaRestrictAnonymous setting in section 3.1.1.6.1.

<49> Section 3.1.4: The Windows implementation of this protocol asks the RPC engine to perform a strict Network Data Representation (NDR) data consistency check at target level 5.0 (as specified in [MS-RPCE] section 3) in Windows 2000 RTM, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016.

<50> Section 3.1.4: The Windows implementation of this protocol asks the RPC engine to include support for both NDR and NDR64 transfer syntaxes, in addition to the negotiation mechanism for determining what transfer syntax will be used (as specified in [MS-RPCE] section 3) in Windows XP RTM, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016.

<51> Section 3.1.4: The Windows implementation of this protocol asks the RPC engine via the strict_context_handle attribute to reject use of context handles created by a method of a different RPC interface from this one, as specified in [MS-RPCE] section 3.

<52> Section 3.1.4: The following is a timeline of when each method was introduced. All methods continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

 Method

 Product

LsarClose (section 3.1.4.9.4)

Windows NT 3.1

LsarEnumeratePrivileges (section 3.1.4.8.1)

Windows NT 3.1

LsarQuerySecurityObject (section 3.1.4.9.1)

Windows NT 3.1

LsarSetSecurityObject (section 3.1.4.9.2)

Windows NT 3.1

LsarOpenPolicy (section 3.1.4.4.2)

Windows NT 3.1

LsarQueryInformationPolicy (section 3.1.4.4.4)

Windows NT 3.1

LsarSetInformationPolicy (section 3.1.4.4.6)

Windows NT 3.1

LsarCreateAccount (section 3.1.4.5.1)

Windows NT 3.1

LsarEnumerateAccounts (section 3.1.4.5.2)

Windows NT 3.1

LsarCreateTrustedDomain (section 3.1.4.7.12)

Windows NT 3.1

LsarEnumerateTrustedDomains (section 3.1.4.7.8)

Windows NT 3.1

LsarCreateSecret (section 3.1.4.6.1)

Windows NT 3.1

LsarOpenAccount (section 3.1.4.5.3)

Windows NT 3.1

LsarEnumeratePrivilegesAccount (section 3.1.4.5.4)

Windows NT 3.1

LsarAddPrivilegesToAccount (section 3.1.4.5.5)

Windows NT 3.1

LsarRemovePrivilegesFromAccount (section 3.1.4.5.6)

Windows NT 3.1

LsarGetSystemAccessAccount (section 3.1.4.5.7)

Windows NT 3.1

LsarSetSystemAccessAccount (section 3.1.4.5.8)

Windows NT 3.1

LsarOpenTrustedDomain (section 3.1.4.7.1)

Windows NT 3.1

LsarQueryInfoTrustedDomain (section 3.1.4.7.13)

Windows NT 3.1

LsarSetInformationTrustedDomain (section 3.1.4.7.14)

Windows NT 3.1

LsarOpenSecret (section 3.1.4.6.2)

Windows NT 3.1

LsarSetSecret (section 3.1.4.6.3)

Windows NT 3.1

LsarQuerySecret (section 3.1.4.6.4)

Windows NT 3.1

LsarLookupPrivilegeValue (section 3.1.4.8.2)

Windows NT 3.1

LsarLookupPrivilegeName (section 3.1.4.8.3)

Windows NT 3.1

LsarLookupPrivilegeDisplayName (section 3.1.4.8.4)

Windows NT 3.1

LsarDeleteObject (section 3.1.4.9.3)

Windows NT 3.1

LsarEnumerateAccountsWithUserRight (section 3.1.4.5.9)

Windows NT 3.51

LsarEnumerateAccountRights (section 3.1.4.5.10)

Windows NT 3.51

LsarAddAccountRights (section 3.1.4.5.11)

Windows NT 3.51

LsarRemoveAccountRights (section 3.1.4.5.12)

Windows NT 3.51

LsarQueryTrustedDomainInfo (section 3.1.4.7.2)

Windows NT 3.51

LsarSetTrustedDomainInfo (section 3.1.4.7.3)

Windows NT 3.51

LsarDeleteTrustedDomain (section 3.1.4.7.4)

Windows NT 3.51

LsarStorePrivateData (section 3.1.4.6.5)

Windows NT 3.51

LsarRetrievePrivateData (section 3.1.4.6.6)

Windows NT 3.51

LsarOpenPolicy2 (section 3.1.4.4.1)

Windows NT 3.51

LsarQueryInformationPolicy2 (section 3.1.4.4.3)

Windows 2000

LsarSetInformationPolicy2 (section 3.1.4.4.5)

Windows 2000

LsarQueryTrustedDomainInfoByName (section 3.1.4.7.5)

Windows 2000

LsarSetTrustedDomainInfoByName (section 3.1.4.7.6)

Windows 2000

LsarEnumerateTrustedDomainsEx (section 3.1.4.7.7)

Windows 2000

LsarCreateTrustedDomainEx (section 3.1.4.7.11)

Windows 2000

LsarQueryDomainInformationPolicy (section 3.1.4.4.7)

Windows 2000

LsarSetDomainInformationPolicy (section 3.1.4.4.8)

Windows 2000

LsarOpenTrustedDomainByName (section 3.1.4.7.9)

Windows 2000

LsarCreateTrustedDomainEx2 (section 3.1.4.7.10)

Windows 2000

LsarQueryForestTrustInformation (section 3.1.4.7.15)

Windows XP

LsarSetForestTrustInformation (section 3.1.4.7.16)

Windows XP

<53> Section 3.1.4: Some gaps in the opnum numbering sequence correspond to opnums that are specified in [MS-LSAT]. All other gaps in the opnum numbering sequence apply to Windows as follows.

Opnum

Description

1

Used only locally by Windows, never remotely.

5

Not used by Windows.

9

Not used by Windows.

21

Not used by Windows.

22

Not used by Windows.

52

Not used by Windows.

56

Used only locally by Windows, never remotely.

60

Used only locally by Windows, never remotely.

61

Used only locally by Windows, never remotely.

62

Used only locally by Windows, never remotely.

63

Used only locally by Windows, never remotely.

64

Used only locally by Windows, never remotely.

65

Used only locally by Windows, never remotely.

66

Used only locally by Windows, never remotely.

67

Used only locally by Windows, never remotely.

69

Used only locally by Windows, never remotely.

70

Used only locally by Windows, never remotely.

71

Used only locally by Windows, never remotely.

72

Used only locally by Windows, never remotely.

75

Used only locally by Windows, never remotely.

<54> Section 3.1.4.4.1: The Windows RPC server for this protocol ignores this parameter except for the RootDirectory field. It verifies whether the value is NULL and returns STATUS_INVALID_PARAMETER if it is not.

<55> Section 3.1.4.4.2: The Windows RPC server for this protocol ignores this parameter except for the RootDirectory field. It verifies whether the value is NULL and returns STATUS_INVALID_PARAMETER if it is not.

<56> Section 3.1.4.4.3: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 return STATUS_INVALID_PARAMETER for this information class.

<57> Section 3.1.4.4.3: In the case of Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016, the Windows RPC server always throws an RPC_NT_PROCNUM_OUT_OF_RANGE exception if the server is configured to emulate NT4 for PolicyDnsDomainInformation information level.

<58> Section 3.1.4.4.5: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 return STATUS_INVALID_PARAMETER for this information class.

<59> Section 3.1.4.4.5: Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 behavior: The Windows RPC server always throws an RPC_NT_PROCNUM_OUT_OF_RANGE exception if the server is configured to emulate NT4 for PolicyDnsDomainInformation information level.

<60> Section 3.1.4.5.1: Windows checks whether the SID is valid, but does not validate the structure of the SID.

<61> Section 3.1.4.5.5: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 ignore invalid LUIDs and return STATUS_SUCCESS instead of STATUS_INVALID_PARAMETER.

<62> Section 3.1.4.5.6: Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10 do not allow removal of "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", and "SeCreateGlobalPrivilege" from accounts represented with SIDs "S-1-5-19" and "S-1-5-20". Such requests are rejected with STATUS_NOT_SUPPORTED.

<63> Section 3.1.4.5.9: Furthermore, Windows checks that the caller is a member of Builtin Administrators.

<64> Section 3.1.4.5.12: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 do not allow removal of "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", and "SeCreateGlobalPrivilege" from accounts represented with SIDs "S-1-5-19" and "S-1-5-20". Such requests are rejected with STATUS_NOT_SUPPORTED.

<65> Section 3.1.4.6: Windows 2000 Server, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008 support these methods. Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 support these methods by default, but can be configured not to support them.

<66> Section 3.1.4.6.1: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 limit the secret name length to 128 characters. Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 return STATUS_NAME_TOO_LONG for lengths that are greater than 128 characters. Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 return STATUS_INVALID_PARAMETER for lengths that are greater than 128 characters.

<67> Section 3.1.4.6.1: Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 do not allow a secret whose name is prefixed by "G$$" to be created, and return STATUS_INVALID_PARAMETER to indicate this constraint failure to the caller.

<68> Section 3.1.4.6.1: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 operating system with Service Pack 1 (SP1), Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 do not allow the secret name to be "G$$", "G$", "L$", "M$", "_sc_", "NL$", "RasDialParams" or "RasCredentials". They return STATUS_INVALID_PARAMETER to indicate this constraint failure to the caller.

<69> Section 3.1.4.6.1: Global secrets (those that are prefixed with "G$") cannot be created on domain controllers on which the directory service is stopped. A request to create a global secret on a domain controller on which the directory service is stopped fails with status code STATUS_DIRECTORY_SERVICE_REQUIRED.

<70> Section 3.1.4.6.2: Windows 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 have a special case for secret name search for downlevel compatibility with Windows NT 3.1, Windows NT 3.5, and Windows NT 3.51. If the secret name is in the form "G$$<NAME>", where "<NAME>" matches the name of a trusted domain, the response is STATUS_SUCCESS. In this case, secret information is Authentication Information of type TRUST_AUTH_TYPE_CLEAR ([MS-ADTS] section 6.1.6.9.1.1, the AuthType field) from the trusted domain object.

<71> Section 3.1.4.6.3: Windows 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 have a special case for secret set operation for downlevel compatibility with Windows NT 3.1, Windows NT 3.5, and Windows NT 3.51. If the secret name is in the form "G$$<NAME>", where "<NAME>" matches the name of a trusted domain, the result is that the set request writes the secret value into the authentication information section of the trusted domain object. The access check in this case is identical to that required for setting authentication information on a trusted domain object, rather than that pertaining to changing a secret value.

<72> Section 3.1.4.6.3: If decryption of EncryptedCurrentValue fails, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista return STATUS_UNKNOWN_REVISION (0xC0000058); Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 return STATUS_INVALID_PARAMETER_1 (0xC00000EF).

<73> Section 3.1.4.6.3: If decryption of EncryptedOldValue fails, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista return STATUS_UNKNOWN_REVISION (0xC0000058); Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 return STATUS_INVALID_PARAMETER_1 (0xC00000EF).

<74> Section 3.1.4.6.4: Windows rejects the secret query requests of type "system" by returning STATUS_ACCESS_DENIED. Windows also rejects the secret query requests of type "local" from network clients with STATUS_ACCESS_DENIED.

<75> Section 3.1.4.6.4: If Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2 process a global secret with a value that has its Length field set to 0, they fill in the EncryptedCurrentValue with the following values before encryption.

 Length = 0
 MaximumLength = 0

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 set the value of EncryptedCurrentValue to NULL.

<76> Section 3.1.4.6.4: If Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2 process a global secret with a value that has its Length field set to 0, they fill in the EncryptedOldValue with the following values before encryption.

 Length = 0
 MaximumLength = 0

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 set the value of EncryptedOldValue to NULL.

<77> Section 3.1.4.6.5: If decryption of EncryptedData fails, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista return STATUS_UNKNOWN_REVISION (0xC0000058); Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 return STATUS_INVALID_PARAMETER_1 (0xC00000EF).

<78> Section 3.1.4.7: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 use trusted domain objects on non–domain controllers to join a machine to a domain. Therefore, trusted domain object methods are allowed on these products even when the machine is not a domain controller. There is, however, one extra check in this case, which is that the trusted domain object's security identifier has to be the same as the security identifier in Primary Domain Information. This also artificially limits the number of trusted domain objects on such systems to one.

<79> Section 3.1.4.7.1: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 disallow callers that do not have the AuthenticatedUsers SID in their token from accessing trusted domain objects. Requests by such users are rejected with STATUS_ACCESS_DENIED.

<80> Section 3.1.4.7.1: On Windows 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016, Active Directory has to be running on the server in order for this request to succeed. Failing that, the STATUS_DIRECTORY_SERVICE_REQUIRED status code is returned.

<81> Section 3.1.4.7.3: Read-only domain controllers are supported on servers running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. They return the STATUS_OBJECT_NAME_NOT_FOUND error.

<82> Section 3.1.4.7.3: Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 support these InformationClass values.

<83> Section 3.1.4.7.4: Read-only domain controllers are supported on servers running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. They return the STATUS_OBJECT_NAME_NOT_FOUND error.

<84> Section 3.1.4.7.10: Windows Server 2003 for Small Business Server 2003 does not support this message. Attempts to create a TDO in this environment causes the server to return STATUS_NOT_SUPPORTED_ON_SBS.

<85> Section 3.1.4.7.10: The operation is not supported on Windows Server 2003 for Small Business Server 2003.

<86> Section 3.1.4.7.10: Servers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 return the STATUS_INVALID_DOMAIN_STATE error when the TRUST_ATTRIBUTE_FOREST_TRANSITIVE or the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit is set in the TrustAttributes field of the TrustedDomainInformation input parameter.

<87> Section 3.1.4.7.10: Read-only domain controllers are supported on servers running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016. They return the STATUS_OBJECT_NAME_NOT_FOUND error.

<88> Section 3.1.4.7.11: The operation is not supported on Windows Server 2003 for Small Business Server 2003.

<89> Section 3.1.4.7.12: The operation is not supported on Windows Server 2003 for Small Business Server 2003.

<90> Section 3.1.4.7.13: When not at DS_BEHAVIOR_WIN2003 forest functional level, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 hide the presence of the TRUST_ATTRIBUTE_FOREST_TRANSITIVE bit in the Trust Attributes field of a trusted domain object.

<91> Section 3.1.4.7.14: Servers running Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 return the STATUS_INVALID_INFO_CLASS error when the information class is TrustedDomainInformationBasic.

<92> Section 3.1.4.7.14: Servers running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, or Windows Server 2016 return the STATUS_OBJECT_NAME_NOT_FOUND error.

<93> Section 3.1.4.9.1: The server will not return the security descriptor of objects that it stores in Active Directory. It will return the security descriptor of objects in its local policy only. The objects stored in Active Directory include Global Secrets and trusted domain objects in Windows 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. For objects that fall into this category, the server will return the STATUS_NOT_SUPPORTED status code.

<94> Section 3.1.4.9.2: The server will not return the security descriptor of objects that it stores in Active Directory. It will return the security descriptor of objects in its local policy only. The objects stored in Active Directory include Global Secrets and trusted domain objects. For objects that fall into this category, a Windows server returns the STATUS_NOT_SUPPORTED status code.

<95> Section 3.1.4.10: On Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016, when processing the LsarOpenSecret (section 3.1.4.6.2) and LsarCreateSecret (section 3.1.4.6.1) methods, the length of the string is allowed to not be a multiple of 2. If Length is not a multiple of 2, the length of the Unicode string will be assumed to be Length – 1.

<96> Section 3.1.4.10: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 do not perform this check. On Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016, when processing the LsarOpenSecret and LSarCreateSecret methods, the Buffer field is allowed to contain zero or many NULL Unicode characters at the end of the string.

<97> Section 3.1.4.10: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 implementations of this protocol do not validate the Luid.HighPart field.

<98> Section 3.1.4.10: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 implementations of this protocol do not validate the Luid.LowPart field.

<99> Section 3.1.4.10: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 implementations of this protocol do not validate the Attributes field.

Show: