3.1.5.12.1.2 SamrSetSecurityObject (Non-DC Configuration)

  • Article

Upon receiving this message, the server MUST process the data from the message subject to all the following constraints:

  1. The access control specified in SecurityDescriptor MUST be a valid security descriptor containing simple ACEs; otherwise the server MUST return an error status. [MS-DTYP] section 2.4.6 contains the specification for a valid security descriptor.

  2. ObjectHandle.GrantedAccess MUST have the required access specified in the following table, based on the set bits in the SecurityInformation parameter. The server MUST ignore set bits in SecurityInformation that are not specified in the table. On error, the server MUST abort processing and return STATUS_ACCESS_DENIED.

    Security information bits

    Required access

    SACL_SECURITY_INFORMATION

    ACCESS_SYSTEM_SECURITY

    OWNER_SECURITY_INFORMATION

    WRITE_OWNER

    GROUP_SECURITY_INFORMATION

    WRITE_OWNER

    DACL_SECURITY_INFORMATION

    WRITE_DAC

  3. The server MUST update the ntSecurityDescriptor attribute value on the object referenced by ObjectHandle.Object such that all of the following constraints are satisfied:

    1. All accesses granted and denied in the input security descriptor (SecurityDescriptor) are granted and denied during subsequent method calls across this interface (for all time).

    2. If the target object is a domain object, all ACEs containing DOMAIN_CREATE_USER, DOMAIN_CREATE_ALIAS, or DOMAIN_CREATE_GROUP MUST grant or deny (depending on the type of ACE) the trustee of the ACE the ability to create a user, alias, or group as specified in SamrCreateUser2InDomain (section 3.1.5.4.4), SamrCreateAliasInDomain (section 3.1.5.4.3), or SamrCreateGroupInDomain (section 3.1.5.4.2).

    3. If the target object is a user object, all ACEs containing the specified access mask in the following table MUST grant or deny (depending on the type of ACE) the trustee to update associated attributes.

      Access mask

      Attribute

      USER_WRITE_ACCOUNT

      sAMAccountName

      displayName

      primaryGroupId

      homeDirectory

      homeDrive

      scriptPath

      profilePath

      Description

      userWorkstations

      logonHours

      accountExpires

      userAccountControl

      userParameters

      USER_WRITE_PREFERENCE

      comment

      countryCode

      codePage

      USER_FORCE_PASSWORD_CHANGE

      clearTextPassword

      pwdLastSet

      dBCSPwd

      unicodePwd