3.1.5.6.4.2 UserAllInformation (Common)

The server MUST process the message subject to the following constraints on the SAMPR_USER_ALL_INFORMATION message parameter:

  1. If the WhichFields field is 0 or contains any of the following bits, the server MUST abort and return an error.

    Bit

    USER_ALL_USERID

    USER_ALL_PASSWORDCANCHANGE

    USER_ALL_PASSWORDMUSTCHANGE

    USER_ALL_UNDEFINED_MASK

    USER_ALL_LASTLOGON

    USER_ALL_LASTLOGOFF

    USER_ALL_BADPASSWORDCOUNT

    USER_ALL_LOGONCOUNT

    USER_ALL_PASSWORDLASTSET

    USER_ALL_SECURITYDESCRIPTOR

    USER_ALL_PRIVATEDATA

  2. The UserHandle MUST be granted the following access based on the value of the WhichFields field.

    WhichFields

    Required access

    USER_ALL_USERNAME

    USER_WRITE_ACCOUNT

    USER_ALL_FULLNAME

    USER_WRITE_ACCOUNT

    USER_ALL_PRIMARYGROUPID

    USER_WRITE_ACCOUNT

    USER_ALL_HOMEDIRECTORY

    USER_WRITE_ACCOUNT

    USER_ALL_HOMEDIRECTORYDRIVE

    USER_WRITE_ACCOUNT

    USER_ALL_SCRIPTPATH

    USER_WRITE_ACCOUNT

    USER_ALL_PROFILEPATH

    USER_WRITE_ACCOUNT

    USER_ALL_ADMINCOMMENT

    USER_WRITE_ACCOUNT

    USER_ALL_WORKSTATIONS

    USER_WRITE_ACCOUNT

    USER_ALL_LOGONHOURS

    USER_WRITE_ACCOUNT

    USER_ALL_ACCOUNTEXPIRES

    USER_WRITE_ACCOUNT

    USER_ALL_USERACCOUNTCONTROL

    USER_WRITE_ACCOUNT

    USER_ALL_PARAMETERS

    USER_WRITE_ACCOUNT

    USER_ALL_USERCOMMENT

    USER_WRITE_PREFERENCES

    USER_ALL_COUNTRYCODE

    USER_WRITE_PREFERENCES

    USER_ALL_CODEPAGE

    USER_WRITE_PREFERENCES

    USER_ALL_NTPASSWORDPRESENT

    USER_FORCE_PASSWORD_CHANGE

    USER_ALL_LMPASSWORDPRESENT

    USER_FORCE_PASSWORD_CHANGE

    USER_ALL_PASSWORDEXPIRED

    USER_FORCE_PASSWORD_CHANGE

  3. The server MUST update the corresponding database attributes for each bit that is present in the WhichFields field. In addition, the server MUST enforce that the client has ACTRL_DS_READ_PROP access to the database attribute being updated, according to the UserHandle passed into the method. Section 2.2.1.8 specifies a WhichFields-to-field mapping, and section 3.1.5.14.11 specifies a field-to-database-attribute mapping.

  4. If the USER_ALL_USERACCOUNTCONTROL bit is present in the WhichFields field, the server MUST:

    1. Enforce that the client has ACTRL_DS_READ_PROP access to the database attribute of userAccountControl, according to the UserHandle.GrantedAccess passed into the method.

    2. Translate the bits according to the table in section 3.1.5.14.2. If a bit does not translate, abort with a processing error.

    3. Update the userAccountControl attribute in the database.

  5. If the USER_ALL_PASSWORDEXPIRED flag is present in the WhichFields field, the server MUST:

    1. If Buffer.All.PasswordExpired is nonzero, then:

      • Update the pwdLastSet with a value of 0.

    2. If Buffer.All.PasswordExpired is 0 and the value of the current time minus the pwdLastSet attribute is greater than the Effective-MaximumPasswordAge (see section 3.1.1.5), then:

      • Update the pwdLastSet attribute with a value of the current time.

    3. Enforce that this update to pwdLastSet MUST take precedence over any other writes to this attribute during the message processing and associated triggers.