3.1.5.4.4 SamrCreateUser2InDomain (Opnum 50)

  • Article

The SamrCreateUser2InDomain method creates a user.

 long SamrCreateUser2InDomain(
   [in] SAMPR_HANDLE DomainHandle,
   [in] PRPC_UNICODE_STRING Name,
   [in] unsigned long AccountType,
   [in] unsigned long DesiredAccess,
   [out] SAMPR_HANDLE* UserHandle,
   [out] unsigned long* GrantedAccess,
   [out] unsigned long* RelativeId
 );

DomainHandle: An RPC context handle, as specified in section 2.2.7.2, representing a domain object.

Name: The value to use as the name of the user. See the message processing shown later in this section for details on how this value maps to the data model.

AccountType: A 32-bit value indicating the type of account to create. See the message processing shown later in this section for possible values.

DesiredAccess: The access requested on the UserHandle on output. See section 2.2.1.7 for a listing of possible values.

UserHandle: An RPC context handle, as specified in section 2.2.7.2.

GrantedAccess: The access granted on UserHandle.

RelativeId: The RID of the newly created user.

This protocol asks the RPC runtime, via the strict_context_handle attribute, to reject the use of context handles created by a method of a different RPC interface than this one, as specified in [MS-RPCE] section 3.

Upon receiving this message, the server MUST process the data from the message subject to the following constraints:

  1. The server MUST return an error if DomainHandle.HandleType is not equal to "Domain".

  2. DomainHandle.GrantedAccess MUST have the required access specified in section 3.1.2.2. Otherwise, the server MUST return STATUS_ACCESS_DENIED.

  3. If DomainHandle.Object refers to the built-in domain, the server MUST abort the request and return a failure code.

  4. The AccountType parameter from the message MUST be equal to exactly one value from the following list. If there is no match, an error status MUST be returned.

    • USER_NORMAL_ACCOUNT

    • USER_WORKSTATION_TRUST_ACCOUNT

    • USER_SERVER_TRUST_ACCOUNT

  5. All updates caused by this request MUST be performed in the same transaction.

  6. On successful completion of this method, a new database object MUST be created (subsequent constraints specify attributes for this new object).

  7. The following database attribute MUST be updated from the values provided in the message according to the following table.

    Database attribute

    Message input

    sAMAccountName

    Name

  8. The distinguishedName attribute MUST be updated with a value that conforms to the constraints as specified in section 3.1.5.14.1. Let the term Container-Object be the object with the distinguishedName of the suffix chosen in section 3.1.5.14.1 for the new object. For a computer object, for example, Container-Object is, by default, the object with the distinguishedName CN=Computers,<DN of account domain object>.

  9. The objectClass database attribute MUST be updated with a value determined as follows:

    1. If the AccountType parameter is USER_WORKSTATION_TRUST_ACCOUNT or USER_SERVER_TRUST_ACCOUNT, use computer.

    2. Otherwise, use user.

  10. The client's token MUST be retrieved using the method described in [MS-RPCE] section 3.3.3.4.3.

  11. The userAccountControl attribute MUST be updated with a value from the following table. AccountType is the AccountType parameter from the message.

    AccountType

    userAccountControl

    USER_NORMAL_ACCOUNT

    UF_NORMAL_ACCOUNT | UF_ACCOUNTDISABLE

    USER_WORKSTATION_TRUST_ACCOUNT

    UF_WORKSTATION_TRUST_ACCOUNT | UF_ACCOUNTDISABLE*

    USER_SERVER_TRUST_ACCOUNT

    UF_SERVER_TRUST_ACCOUNT | UF_ACCOUNTDISABLE

    *If all the following conditions hold true, then the userAccountControl attribute MUST be updated only with the UF_WORKSTATION_TRUST_ACCOUNT value.

    • The AccountType parameter is USER_WORKSTATION_TRUST_ACCOUNT.

    • The client does not have the ACTRL_DS_CREATE_CHILD access on the Container-Object object.

    • The RpcImpersonationAccessToken.Privileges[] field has the SE_ MACHINE_ACCOUNT NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1).

  12. The security model for object creation specified in [MS-ADTS] section 5.1.3 MUST NOT be adhered to.

  13. If the client does not have the ACTRL_DS_CREATE_CHILD access right on the Container-Object object, the client is not otherwise denied access due to an explicit DENY ACE<55>, and the AccountType parameter is USER_WORKSTATION_TRUST_ACCOUNT, then:

    1. On a DC configuration:

      1. If the RpcImpersonationAccessToken.Privileges[] field does not have the SE_MACHINE_ACCOUNT_NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1), return a processing error.

      2. Else:

        1. Let CallerSid be RpcImpersonationAccessToken.Sids[RpcImpersonationAccessToken.UserIndex].

        2. Let CallerPrimaryGroup be RpcImpersonationAccessToken.PrimaryGroup.

        3. If CallerPrimaryGroup is not equal to DOMAIN_GROUP_RID_COMPUTERS, then:

          1. The number of computer objects in the domain with msDS-creatorSID equal to CallerSid MUST be less than the value of ms-DS-MachineAccountQuota on the account domain object. On error, abort and return a failure code.

        4. If CallerPrimaryGroup is equal to DOMAIN_GROUP_RID_COMPUTERS, then<56>:

          1. If the domain SID portion of CallerSid is different from the current domain SID, return a failure code.

          2. The server MUST compute the sum of all computer objects in the domain created by CallerSid and transitively created by other computer objects created by CallerSid. This sum MUST be less than the value of ms-DS-MachineAccountQuota on the account domain object. On error, abort and return a failure code.

        5. If the previous constraints are met, then:

          1. msDS-creatorSID MUST be set to CallerSid.

          2. The owner and group of the default security descriptor MUST be the Domain Admins SID for the domain in which the account is created.

    2. On a non-DC configuration:

      • The server MUST abort processing and return STATUS_ACCESS_DENIED.

  14. The return parameter of GrantedAccess MUST be set to DesiredAccess if DesiredAccess contains only valid access masks for the user object (see section 2.2.1.7); otherwise, the request MUST be aborted and STATUS_ACCESS_DENIED MUST be returned. Additionally, on a DC configuration, if the creation occurred because of a privilege (see step 13.1), the returned GrantedAccess MUST be restricted by the intersection of DesiredAccess and the following bits:

    • DELETE

    • USER_WRITE

    • USER_FORCE_PASSWORD_CHANGE

  15. If DesiredAccess contains the ACCESS_SYSTEM_SECURITY bit, the RpcImpersonationAccessToken.Privileges[] field MUST have the SE_SECURITY_NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1). Otherwise, the server MUST abort processing and return STATUS_ACCESS_DENIED.