Compartilhar via


3.1.1.3 Account Object Data Model

Inside the Local Security Authority (Domain Policy) Remote Protocol database, the account object MUST be represented by four pieces of data as follows.

Name

Type

Security Identifier (Public)

RPC_SID

Security Descriptor

LSAPR_SR_SECURITY_DESCRIPTOR

Privileges (Public)

LSAPR_PRIVILEGE_SET

System Access Rights

unsigned int with combination of POLICY_SYSTEM_ACCESS_MODE flags

The Security Identifier field identifies the account object and MUST be present. Two different account objects MUST NOT have the same security identifier (SID). The Security Identifier field MUST be read-only. Any valid SID can be used to identify an account object.

The Security Descriptor field controls access to the account object. Every account object in the Local Security Authority (Domain Policy) Remote Protocol database MUST have a valid security descriptor. The security descriptor can be queried by calling the LsarQuerySecurityObject method and changed by calling the LsarSetSecurityObject method. The server MUST assign a default security descriptor to every newly created account object, even if the client did not specify a default value.<50>

The Privileges field is a potentially empty set of "global" rights granted to the account by the server. Every "right" in the set is a pair of a LUIDs and a bitmask of attributes. The right can be controlled by calling the LsarAddAccountRights, LsarAddPrivilegesToAccount, LsarRemoveAccountRights, and LsarRemovePrivilegesFromAccount methods. Because there are no "negative" rights, the order of rights in the set is not relevant and the server MUST NOT associate any special semantics with the order of rights.

The System Access Rights field is a bitmask of flags indicating the system access of the account.

This field can be set to 0.

If the responder for this protocol is a domain controller, the values of the implementation-specific instantiation of this abstract data model MUST converge between the domain controller in the same domain.<51> There is no requirement on the length of time to reach convergence.