3.1.5.12.1.1 SamrSetSecurityObject (DC Configuration)
Upon receiving this message, the server MUST process the data from the message subject to all of the following constraints:
The access control specified in SecurityDescriptor MUST be a valid security descriptor containing simple ACEs; otherwise the server MUST return an error status. [MS-DTYP] section 2.4.6 contains the specification for a valid security descriptor. On error, the server MUST abort processing and return an error.
ObjectHandle.GrantedAccess MUST have the required access specified in the following table, based on the set bits in the SecurityInformation parameter. The server MUST ignore set bits in SecurityInformation that are not specified in the table. On error, the server MUST abort processing and return STATUS_ACCESS_DENIED.
Security information bits
Required access
SACL_SECURITY_INFORMATION
ACCESS_SYSTEM_SECURITY
OWNER_SECURITY_INFORMATION
WRITE_OWNER
GROUP_SECURITY_INFORMATION
WRITE_OWNER
DACL_SECURITY_INFORMATION
WRITE_DAC
If the DACL_SECURITY_INFORMATION bit is set in SecurityInformation, the server MUST determine whether the DACL of SecurityDescriptor of the input message matches one of the following DACLs. The ordering of the ACEs is not relevant. Let Self denote the SID of the user object referenced by ObjectHandle.Object.
DACL a.
SID
Access mask
USER_EXECUTE | USER_READ
USER_ALL_ACCESS
USER_ALL_ACCESS
Self
USER_WRITE
DACL b.
SID
Access mask
WorldSid
(USER_EXECUTE | USER_READ) & ~ USER_CHANGE_PASSWORD
AdministratorSid
USER_ALL_ACCESS
AccountOperatorsSid
USER_ALL_ACCESS
Self
USER_WRITE & ~ USER_CHANGE_PASSWORD
DACL c.
SID
Access mask
WorldSid
(USER_EXECUTE | USER_READ) & ~ USER_CHANGE_PASSWORD
AdministratorSid
USER_ALL_ACCESS
AccountOperatorsSid
USER_ALL_ACCESS
DACL d.
SID
Access mask
WorldSid
USER_EXECUTE | USER_READ
AdministratorSid
USER_ALL_ACCESS
Self
USER_WRITE
If there is no match from the preceding constraint, the server MUST silently ignore the request by aborting processing and returning 0.
If the matching DACL grants USER_CHANGE_PASSWORD to World, the server MUST update the ntSecurityDescriptor attribute for the target user such that the target user has the ability to change his or her password; otherwise, the server MUST update the ntSecurityDescriptor attribute for the target user such that the target does not have the ability to change his or her password. For an example of how to do this, see the following citation in Appendix B: Product Behavior.<68>