2.2.3.1 Domain Fields
There are a number of domain-related structures that use the same fields, as denoted by their field names. This section specifies all such fields. The structures group the available set of domain attributes in different ways to allow the client to control which attributes are queried or set. Although each structure can have a different subset of these attributes, they all draw from this same set of attributes, detailed as follows.
AliasCount: A 32-bit unsigned integer indicating the number of alias objects in the domain. This field is read-only.
CreationTime: A 64-bit time stamp, equivalent to a FILETIME, indicating the time of creation for the domain in 100-nanosecond intervals from 12:00 A.M., January 1, 1601 (UTC). This field is read-only.
DomainModifiedCount: A 64-bit update sequence number representing the number of database updates relevant to the Windows NT 4.0 operating system replication protocol. This field is read-only. On the server, the value to return for this field corresponds to the SamNT4ReplicationUSN and BuiltinNT4ReplicationUSN values specified in [MS-ADTS] section 3.1.1.7.1.1.
DomainName: A counted Unicode string of type RPC_UNICODE_STRING, containing the NetBIOS name of the domain. This field is read-only.
DomainServerRole: An enumerated value (see DOMAIN_SERVER_ROLE) indicating the role of the server in the domain. Possible values are Primary Domain Controller (DomainServerRolePrimary) or Backup Domain Controller (DomainServerRoleBackup).
DomainServerState: An enumerated value (see DOMAIN_SERVER_ENABLE_STATE) indicating whether the server is enabled. Possible values are enabled (DomainServerEnabled) or disabled (DomainServerDisabled). This field SHOULD be set to DomainServerEnabled and implementations SHOULD ignore any input to this field.
ForceLogoff: A 64-bit value, with delta time syntax, indicating the policy setting for the amount of time that an interactive logon session is allowed to continue.
GroupCount: A 32-bit unsigned integer indicating the number of group accounts. This field is read-only.
LockoutDuration: A 64-bit value, with delta time syntax, indicating the duration for which an account is locked out before being automatically reset to an unlocked state.
LockoutObservationWindow: A 64-bit value, with delta time syntax, indicating the time period in which failed password attempts are counted without resetting the count to zero.
LockoutThreshold: A 16-bit unsigned integer indicating the number of bad password attempts within a LockoutObservationWindow that will cause an account to be locked out.
MaxPasswordAge: A 64-bit value, with delta time syntax, indicating the policy setting for the maximum time allowed before a password reset or change is required.
MinPasswordAge: A 64-bit value, with delta time syntax, indicating the policy setting for the minimum time allowed before a password change operation is allowed.
MinPasswordLength: A 16-bit unsigned integer indicating the minimum password length policy setting.
ModifiedCountAtLastPromotion: A 64-bit update sequence number representing the number of database updates relevant to the Windows NT 4.0 replication protocol that had occurred at the time when the current server obtained the PDC role (see [MS-ADTS] section 6.1.5.4 for more information on the PDC role). This field is read-only.
OemInformation: A counted Unicode string of type RPC_UNICODE_STRING that clients can set to any value. There are no known scenarios that use this field.
PasswordHistoryLength: A 16-bit unsigned integer indicating the policy setting for the password history length.
PasswordProperties: A 32-bit bit field indicating the password properties policy setting. The defined bits are shown in the following table. All bits can be combined using a logical OR in any combination. Undefined bits SHOULD be persisted by the server (that is, stored in its database) and returned to future queries. Clients SHOULD ignore undefined bits.
-
Name/value
Description
DOMAIN_PASSWORD_COMPLEX
0x00000001
The server enforces password complexity policy. See section 3.1.1.7.2 for details of the password policy.
DOMAIN_PASSWORD_NO_ANON_CHANGE
0x00000002
Reserved. No effect on password policy.
DOMAIN_PASSWORD_NO_CLEAR_CHANGE
0x00000004
Change-password methods that provide the cleartext password are disabled by the server.
DOMAIN_LOCKOUT_ADMINS
0x00000008
Reserved. No effect on password policy.
DOMAIN_PASSWORD_STORE_CLEARTEXT
0x00000010
The server MUST store the cleartext password, not just the computed hashes.
DOMAIN_REFUSE_PASSWORD_CHANGE
0x00000020
Reserved. No effect on password policy.
ReplicaSourceNodeName: A counted Unicode string of type RPC_UNICODE_STRING that contains the NetBIOS name of the primary domain controller (PDC) at the time of upgrade from Windows NT 4.0. The default value is the empty string.
UasCompatibilityRequired: A 1-byte value that, if nonzero, indicates that UAS Compatibility mode is effective; if zero, UAS Compatibility mode is not effective. This field is read-only and the default value is nonzero.
UserCount: A 32-bit unsigned integer indicating the number of user accounts. This field is read-only.