3.1.5.1.5 SamrOpenDomain (Opnum 7)

The SamrOpenDomain method obtains a handle to a domain object, given a SID.

 long SamrOpenDomain(
   [in] SAMPR_HANDLE ServerHandle,
   [in] unsigned long DesiredAccess,
   [in] PRPC_SID DomainId,
   [out] SAMPR_HANDLE* DomainHandle
 );

ServerHandle: An RPC context handle, as specified in section 2.2.7.2, representing a server object.

DesiredAccess: An ACCESS_MASK. See section 2.2.1.4 for a list of domain access values.

DomainId: A SID value of a domain hosted by the server side of this protocol.

DomainHandle: An RPC context handle, as specified in section 2.2.7.2.

This protocol asks the RPC runtime, via the strict_context_handle attribute, to reject the use of context handles created by a method of a different RPC interface than this one, as specified in [MS-RPCE] section 3.

Upon receiving this message, the server MUST process the data from the message subject to the following constraints in no particular order:

  1. The server MUST return an error if ServerHandle.HandleType is not equal to "Server".

  2. ServerHandle.GrantedAccess MUST have the required access specified in section 3.1.2.2. Otherwise, the server MUST return STATUS_ACCESS_DENIED.

  3. The server MUST translate the following bits in DesiredAccess according to the following table. Translate means to remove the "Incoming bit" and replace with the "Translated bits", as follows.

    Incoming bit

    Translated bits

    GENERIC_READ

    DOMAIN_READ

    GENERIC_WRITE

    DOMAIN_WRITE

    GENERIC_EXECUTE

    DOMAIN_EXECUTE

    GENERIC_ALL

    DOMAIN_ALL_ACCESS

  4. Let D be the domain object whose objectSid is DomainId. If no such object exists, the server MUST return an error code.

  5. Let GrantedAccess be the union of all bits in the "DesiredAccess" column in the following table where the client has the specified access (shown in the "Access mask" column) on the ntSecurityDescriptor on D. A missing value in the "Object ACE type" column means that the access mask applies to the entire object. [MS-ADTS] section 5.1.3.3.3 specifies how to determine the client's access.

    DesiredAccess

    Access mask

    Object ACE type

    DOMAIN_READ_PASSWORD_PARAMETERS

    ACTRL_DS_READ_PROP

    c7407360-20bf-11d0-a768-00aa006e0529

    DOMAIN_WRITE_PASSWORD_PARAMS

    ACTRL_DS_WRITE_PROP

    c7407360-20bf-11d0-a768-00aa006e0529

    DOMAIN_READ_OTHER_PARAMETERS

    ACTRL_DS_READ_PROP

    b8119fd0-04f6-4762-ab7a-4986c76b3f9a

    DOMAIN_WRITE_OTHER_PARAMETERS

    ACTRL_DS_WRITE_PROP

    b8119fd0-04f6-4762-ab7a-4986c76b3f9a

    DOMAIN_CREATE_USER

    Always grant, if DOMAIN_CREATE_USER is requested or if MAXIMUM_ALLOWED is present.

    DOMAIN_CREATE_GROUP

    Always grant, if DOMAIN_CREATE_GROUP is requested or if MAXIMUM_ALLOWED is present. The default security descriptor for a non-DC configuration's domain object does not grant DOMAIN_CREATE_GROUP to any security context.

    DOMAIN_CREATE_ALIAS

    Always grant, if DOMAIN_CREATE_ALIAS is requested or if MAXIMUM_ALLOWED is present.

    DOMAIN_LIST_ACCOUNTS

    ACTRL_DS_LIST

    DOMAIN_LOOKUP

    ACTRL_DS_LIST

    DOMAIN_ADMINISTER_SERVER

    ACTRL_DS_CONTROL_ACCESS

    ab721a52-1e2f-11d0-9819-00aa0040529b

    ACCESS_SYSTEM_SECURITY

    ACCESS_SYSTEM_SECURITY

    WRITE_OWNER

    WRITE_OWNER

    WRITE_DAC

    WRITE_DAC

    DELETE

    DELETE

  6. If GrantedAccess is 0, the server MUST return STATUS_ACCESS_DENIED.

  7. If DesiredAccess contains the MAXIMUM_ALLOWED bit, the server MUST create and return a SamContextHandle (section 3.1.1.10) via DomainHandle with its fields initialized as follows:

    • SamContextHandle.HandleType = "Domain"

    • SamContextHandle.Object = D

    • SamContextHandle.GrantedAccess = GrantedAccess

  8. If DesiredAccess does not contain the MAXIMUM_ALLOWED bit, the following constraint MUST be satisfied:

    1. If DesiredAccess contains bits not in GrantedAccess, the server MUST return STATUS_ACCESS_DENIED. Otherwise, the server MUST create and return a SamContextHandle (section 3.1.1.10) via DomainHandle with its fields initialized as follows:

      • SamContextHandle.HandleType = "Domain"

      • SamContextHandle.Object = D

      • SamContextHandle.GrantedAccess = DesiredAccess

  9. If any processing error occurred, the server MUST return that error. Otherwise, the server MUST return STATUS_SUCCESS to the client.