3.1.5.12.2.1 SamrQuerySecurityObject (DC Configuration)

Let Self denote the objectSid attribute value, if any, of the object referenced by ObjectHandle.Object.

Upon receiving this message, the server MUST process the data from the message subject to all of the following constraints:

  1. ObjectHandle.GrantedAccess MUST have the required access specified in the following table, based on the bits contained in the SecurityInformation parameter. On error, the server MUST abort processing and return STATUS_ACCESS_DENIED.

    Security information bits

    Required access

    SACL_SECURITY_INFORMATION

    ACCESS_SYSTEM_SECURITY

    OWNER_SECURITY_INFORMATION

    READ_CONTROL

    GROUP_SECURITY_INFORMATION

    READ_CONTROL

    DACL_SECURITY_INFORMATION

    READ_CONTROL

  2. The server MUST return, via the SecurityDescriptor parameter, a security descriptor that only contains fields based on the bits contained in the SecurityInformation parameter (the fields of the security descriptor that are not returned are set to zero) and that satisfies all of the following constraints:

    1. The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).

    2. The DACL MUST contain the following specified ACEs:

      If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACEs.

      SID

      Access mask

      WorldSid

      SAM_SERVER_EXECUTE |

      SAM_SERVER_READ

      AdministratorSid

      SAM_SERVER_ALL_ACCESS

      Else, if ObjectHandle.Object refers to a domain object, the DACL MUST contain the following ACEs.

      SID

      Access mask

      WorldSid

      DOMAIN_EXECUTE |

      DOMAIN_READ

      AdministratorSid

      DOMAIN_ALL_ACCESS

      AccountOperatorsSid

      DOMAIN_EXECUTE |

      DOMAIN_READ |

      DOMAIN_CREATE_USER |

      DOMAIN_CREATE_GROUP |

      DOMAIN_CREATE_ALIAS

      Else, if ObjectHandle.Object refers to a group or alias object that is the Domain Admins group (Domain Admins) or Administrators alias, or a member of Domain Admins or Administrators, the DACL MUST contain the following ACEs.

      SID

      Access mask

      WorldSid

      GROUP_EXECUTE |

      GROUP_READ

      AdministratorSid

      GROUP_ALL_ACCESS

      Else, if ObjectHandle.Object refers to any group object that does not satisfy the previous condition, the DACL MUST contain the following ACEs.

      SID

      Access mask

      WorldSid

      GROUP_EXECUTE |

      GROUP_READ

      AdministratorSid

      GROUP_ALL_ACCESS

      AccountOperatorsSid

      GROUP_ALL_ACCESS

      Else, if ObjectHandle.Object refers to any alias object that does not satisfy the previous condition, the DACL MUST contain the following ACEs.

      SID

      Access mask

      WorldSid

      ALIAS_EXECUTE |

      ALIAS_READ

      AdministratorSid

      ALIAS_ALL_ACCESS

      AccountOperatorsSid

      ALIAS_ALL_ACCESS

      Else, if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain the following ACEs.

      SID

      Access mask

      WorldSid

      USER_EXECUTE |

      USER_READ

      AdministratorSid

      USER_ALL_ACCESS

      The SID of the user referenced by ObjectHandle.Object

      USER_WRITE

      Else, if ObjectHandle.Object refers to a user object whose ntSecurityDescriptor does not grant Self or World the User-Change-Password control access right ([MS-ADTS] section 5.1.3.2.1), the DACL MUST contain the following ACEs.

      SID

      Access mask

      WorldSid

      USER_EXECUTE |

      USER_READ |

      ~USER_CHANGE_PASSWORD

      AdministratorSid

      USER_ALL_ACCESS

      AccountOperatorsSid

      USER_ALL_ACCESS

      The SID of the user referenced by ObjectHandle.Object

      USER_WRITE |

      ~USER_CHANGE_PASSWORD

      Otherwise, the DACL MUST contain the following ACEs.

      SID

      Access mask

      WorldSid

      USER_EXECUTE |

      USER_READ

      AdministratorSid

      USER_ALL_ACCESS

      AccountOperatorsSid

      USER_ALL_ACCESS

      The SID of the user referenced by ObjectHandle.Object

      USER_WRITE