3.1.5.1.5 SamrOpenDomain (Opnum 7)
The SamrOpenDomain method obtains a handle to a domain object, given a SID.
-
long SamrOpenDomain( [in] SAMPR_HANDLE ServerHandle, [in] unsigned long DesiredAccess, [in] PRPC_SID DomainId, [out] SAMPR_HANDLE* DomainHandle );
ServerHandle: An RPC context handle, as specified in section 2.2.7.2, representing a server object.
DesiredAccess: An ACCESS_MASK. See section 2.2.1.4 for a list of domain access values.
DomainId: A SID value of a domain hosted by the server side of this protocol.
DomainHandle: An RPC context handle, as specified in section 2.2.7.2.
This protocol asks the RPC runtime, via the strict_context_handle attribute, to reject the use of context handles created by a method of a different RPC interface than this one, as specified in [MS-RPCE] section 3.
Upon receiving this message, the server MUST process the data from the message subject to the following constraints in no particular order:
The server MUST return an error if ServerHandle.HandleType is not equal to "Server".
ServerHandle.GrantedAccess MUST have the required access specified in section 3.1.2.2. Otherwise, the server MUST return STATUS_ACCESS_DENIED.
The server MUST translate the following bits in DesiredAccess according to the following table. Translate means to remove the "Incoming bit" and replace with the "Translated bits", as follows.
Incoming bit
Translated bits
GENERIC_READ
DOMAIN_READ
GENERIC_WRITE
DOMAIN_WRITE
GENERIC_EXECUTE
DOMAIN_EXECUTE
GENERIC_ALL
DOMAIN_ALL_ACCESS
Let D be the domain object whose objectSid is DomainId. If no such object exists, the server MUST return an error code.
Let GrantedAccess be the union of all bits in the "DesiredAccess" column in the following table where the client has the specified access (shown in the "Access mask" column) on the ntSecurityDescriptor on D. A missing value in the "Object ACE type" column means that the access mask applies to the entire object. [MS-ADTS] section 5.1.3.3.3 specifies how to determine the client's access.
DesiredAccess
Access mask
Object ACE type
DOMAIN_READ_PASSWORD_PARAMETERS
ACTRL_DS_READ_PROP
c7407360-20bf-11d0-a768-00aa006e0529
DOMAIN_WRITE_PASSWORD_PARAMS
ACTRL_DS_WRITE_PROP
c7407360-20bf-11d0-a768-00aa006e0529
DOMAIN_READ_OTHER_PARAMETERS
ACTRL_DS_READ_PROP
b8119fd0-04f6-4762-ab7a-4986c76b3f9a
DOMAIN_WRITE_OTHER_PARAMETERS
ACTRL_DS_WRITE_PROP
b8119fd0-04f6-4762-ab7a-4986c76b3f9a
DOMAIN_CREATE_USER
Always grant, if DOMAIN_CREATE_USER is requested or if MAXIMUM_ALLOWED is present.
DOMAIN_CREATE_GROUP
Always grant, if DOMAIN_CREATE_GROUP is requested or if MAXIMUM_ALLOWED is present. The default security descriptor for a non-DC configuration's domain object does not grant DOMAIN_CREATE_GROUP to any security context.
DOMAIN_CREATE_ALIAS
Always grant, if DOMAIN_CREATE_ALIAS is requested or if MAXIMUM_ALLOWED is present.
DOMAIN_LIST_ACCOUNTS
ACTRL_DS_LIST
DOMAIN_LOOKUP
ACTRL_DS_LIST
DOMAIN_ADMINISTER_SERVER
ACTRL_DS_CONTROL_ACCESS
ab721a52-1e2f-11d0-9819-00aa0040529b
ACCESS_SYSTEM_SECURITY
ACCESS_SYSTEM_SECURITY
WRITE_OWNER
WRITE_OWNER
WRITE_DAC
WRITE_DAC
DELETE
DELETE
If GrantedAccess is 0, the server MUST return STATUS_ACCESS_DENIED.
If DesiredAccess contains the MAXIMUM_ALLOWED bit, the server MUST create and return a SamContextHandle (section 3.1.1.10) via DomainHandle with its fields initialized as follows:
SamContextHandle.HandleType = "Domain"
SamContextHandle.Object = D
SamContextHandle.GrantedAccess = GrantedAccess
If DesiredAccess does not contain the MAXIMUM_ALLOWED bit, the following constraint MUST be satisfied:
If DesiredAccess contains bits not in GrantedAccess, the server MUST return STATUS_ACCESS_DENIED. Otherwise, the server MUST create and return a SamContextHandle (section 3.1.1.10) via DomainHandle with its fields initialized as follows:
SamContextHandle.HandleType = "Domain"
SamContextHandle.Object = D
SamContextHandle.GrantedAccess = DesiredAccess
If any processing error occurred, the server MUST return that error. Otherwise, the server MUST return STATUS_SUCCESS to the client.