3.1.1.13.5 ExpandShadowPrincipal
-
procedure ExpandShadowPrincipal( InputSids: ARRAY(SID), ExpandedSids: ARRAY(SID), MaxValidityTimeHint: LARGE_INTEGER) : NTSTATUS
InputSids: An array of SIDs to be expanded.
ExpandedSids: Returns the set of expanded SIDs.
MaxValidityTimeHint: Returns the smallest expiration timestamp of all memberships returned in ExpandedSids, or zero if all memberships are persistent.
Return Values: This procedure returns STATUS_SUCCESS ([MS-ERREF] section 2.3.1) to indicate success; otherwise, an NTSTATUS error code.
Note In the following logical processing, the GUID of the Privileged Access Management optional feature is defined in section 6.1.1.2.4.1.3.2.
Logical Processing:
-
v,u,w : DSName; ShadowPrincipalContainer : DSName; nameSet : set of DSName; pamFeatureGuid: GUID; MaxValidityTimeHint := 0; /* Check if the feature is enabled */ pamFeatureGuid := GUID of the Privileged Access Management optional feature; if (!IsOptionalFeatureEnabled(DSName of Cross-Ref-Container, pamFeatureGuid)) ExpandedSids := {}; MaxValidityTimeHint := 0; return STATUS_SUCCESS endif /* Get the name of the shadow principal container */ ShadowPrincipalContainer := "CN=Shadow Principal Configuration,CN=Services" ShadowPrincipalContainer := ShadowPrincipalContainer + dc.configNC /* Check if each SID is a member of any shadow principals */ foreach v in InputSids nameSet := select all w from children ShadowPrincipalContainer where (w!member := v) and (w!objectClass := msDS-ShadowPrincipal) /* For each shadow principal, add its shadow principal SID to the output */ foreach u in nameSet if (!(u!msDS-ShadowPrincipalSid in ExpandedSids)) ExpandedSids := ExpandedSids + u!msDS-ShadowPrincipalSid endif endfor endfor if ((minimum TTL of all memberships returned in ExpandedSids) > 0) MaxValidityTimeHint := (minimum TTL of all memberships returned in ExpandedSids); endif -
return STATUS_SUCCESS;