SamrGetUserDomainPasswordInformation (Opnum 44)

The SamrGetUserDomainPasswordInformation method obtains select password policy information (without requiring a domain handle).

 long SamrGetUserDomainPasswordInformation(
   [in] SAMPR_HANDLE UserHandle,

UserHandle: An RPC context handle, as specified in section, representing a user object.

PasswordInformation: Password policy information from the user's domain.

This protocol asks the RPC runtime, via the strict_context_handle attribute, to reject the use of context handles created by a method of a different RPC interface than this one, as specified in [MS-RPCE] section 3.

On receiving this message, the server MUST process the data from the message subject to the following constraints:

  1. The server MUST return an error if UserHandle.HandleType is not equal to "User".

  2. The security identity of the client MUST have DOMAIN_READ_PASSWORD_PARAMETERS access to the account domain object; if not, the server MUST abort processing and return STATUS_ACCESS_DENIED.

  3. If the RelativeId of the objectSid attribute of the user object referenced by UserHandle.Object is DOMAIN_USER_RID_KRBTGT, or if the userAccountControl attribute contains UF_INTERDOMAIN_TRUST_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT, or UF_SERVER_TRUST_ACCOUNT, then PasswordInformation MUST be set to all zeros, and the server MUST end processing and return STATUS_SUCCESS.

  4. The output parameter PasswordInformation.MinPasswordLength MUST be set to the Effective-MinimumPasswordLength attribute value (see section

  5. The output parameter PasswordInformation.PasswordProperties MUST be set to the pwdProperties attribute value on the account domain object. In addition:

    1. If the Effective-PasswordComplexityEnabled value (see section is set, PasswordInformation.PasswordProperties MUST contain DOMAIN_PASSWORD_COMPLEX.

    2. If the Effective-PasswordReversibleEncryptionEnabled value (see section is set, PasswordInformation.PasswordProperties MUST contain DOMAIN_PASSWORD_STORE_CLEARTEXT.