3.1.5.12.1.1 SamrSetSecurityObject (DC Configuration)

Upon receiving this message, the server MUST process the data from the message subject to all of the following constraints:

  1. The access control specified in SecurityDescriptor MUST be a valid security descriptor containing simple ACEs; otherwise the server MUST return an error status. [MS-DTYP] section 2.4.6 contains the specification for a valid security descriptor. On error, the server MUST abort processing and return an error.

  2. ObjectHandle.GrantedAccess MUST have the required access specified in the following table, based on the set bits in the SecurityInformation parameter. The server MUST ignore set bits in SecurityInformation that are not specified in the table. On error, the server MUST abort processing and return STATUS_ACCESS_DENIED.

    Security information bits

    Required access

    SACL_SECURITY_INFORMATION

    ACCESS_SYSTEM_SECURITY

    OWNER_SECURITY_INFORMATION

    WRITE_OWNER

    GROUP_SECURITY_INFORMATION

    WRITE_OWNER

    DACL_SECURITY_INFORMATION

    WRITE_DAC

  3. If the DACL_SECURITY_INFORMATION bit is set in SecurityInformation, the server MUST determine whether the DACL of SecurityDescriptor of the input message matches one of the following DACLs. The ordering of the ACEs is not relevant. Let Self denote the SID of the user object referenced by ObjectHandle.Object.

    • DACL a.

      SID

      Access mask

      WorldSid

      USER_EXECUTE | USER_READ

      AdministratorSid

      USER_ALL_ACCESS

      AccountOperatorsSid

      USER_ALL_ACCESS

      Self

      USER_WRITE

    • DACL b.

      SID

      Access mask

      WorldSid

      (USER_EXECUTE | USER_READ) & ~ USER_CHANGE_PASSWORD

      AdministratorSid

      USER_ALL_ACCESS

      AccountOperatorsSid

      USER_ALL_ACCESS

      Self

      USER_WRITE & ~ USER_CHANGE_PASSWORD

    • DACL c.

      SID

      Access mask

      WorldSid

      (USER_EXECUTE | USER_READ) & ~ USER_CHANGE_PASSWORD

      AdministratorSid

      USER_ALL_ACCESS

      AccountOperatorsSid

      USER_ALL_ACCESS

    • DACL d.

      SID

      Access mask

      WorldSid

      USER_EXECUTE | USER_READ

      AdministratorSid

      USER_ALL_ACCESS

      Self

      USER_WRITE

  4. If there is no match from the preceding constraint, the server MUST silently ignore the request by aborting processing and returning 0.

  5. If the matching DACL grants USER_CHANGE_PASSWORD to World, the server MUST update the ntSecurityDescriptor attribute for the target user such that the target user has the ability to change his or her password; otherwise, the server MUST update the ntSecurityDescriptor attribute for the target user such that the target does not have the ability to change his or her password. For an example of how to do this, see the following citation in Appendix B: Product Behavior.<68>