Compartir a través de


3.1.1.13.5 ExpandShadowPrincipal

 procedure ExpandShadowPrincipal(
     InputSids: ARRAY(SID),
     ExpandedSids: ARRAY(SID),
     MaxValidityTimeHint: LARGE_INTEGER) : NTSTATUS

InputSids: An array of SIDs to be expanded.

ExpandedSids: Returns the set of expanded SIDs.

MaxValidityTimeHint: Returns the smallest expiration timestamp of all memberships returned in ExpandedSids, or zero if all memberships are persistent.

Return Values: This procedure returns STATUS_SUCCESS ([MS-ERREF] section 2.3.1) to indicate success; otherwise, an NTSTATUS error code.

Note In the following logical processing, the GUID of the Privileged Access Management optional feature is defined in section 6.1.1.2.4.1.3.2.

Logical Processing:

 v,u,w : DSName;
 ShadowPrincipalContainer : DSName;
 nameSet : set of DSName;
 pamFeatureGuid: GUID;
  
 MaxValidityTimeHint := 0;
  
 /* Check if the feature is enabled */
 pamFeatureGuid := GUID of the Privileged Access Management optional feature;
 if (!IsOptionalFeatureEnabled(DSName of Cross-Ref-Container, pamFeatureGuid))
   ExpandedSids := {};
   MaxValidityTimeHint := 0;
   return STATUS_SUCCESS
 endif
  
 /* Get the name of the shadow principal container */
 ShadowPrincipalContainer := "CN=Shadow Principal Configuration,CN=Services" ShadowPrincipalContainer := ShadowPrincipalContainer + dc.configNC
  
 /* Check if each SID is a member of any shadow principals */
 foreach v in InputSids
   nameSet := select all w from children ShadowPrincipalContainer where 
     (w!member := v) and 
     (w!objectClass := msDS-ShadowPrincipal)
   /* For each shadow principal, add its shadow principal SID to the output */
   foreach u in nameSet 
      if (!(u!msDS-ShadowPrincipalSid in ExpandedSids)) 
        ExpandedSids := ExpandedSids + u!msDS-ShadowPrincipalSid
      endif
   endfor
 endfor 
  
 if ((minimum TTL of all memberships returned in ExpandedSids) > 0)
       MaxValidityTimeHint := (minimum TTL of all memberships
                            returned in ExpandedSids);
 endif
return STATUS_SUCCESS;