3.1.1.5.2.1.1 Per Attribute Authorization for Add Operation

  • Artikel

If AttributeAuthorizationOnLDAPAdd equals 0 or 2, this check succeeds with no further processing.

If AttributeAuthorizationOnLDAPAdd equals 1, processing proceeds as follows:

  1. If the requester is a member of either Domain Administrators (section 6.1.1.6.5) or Enterprise Administrators (section 6.1.1.6.10), this check succeeds with no further processing.

  2. If the objectClass being added is neither of type computer or a class derived from type computer, this check succeeds with no further processing, otherwise proceed.5

  3. Let DefaultSD be a security descriptor created per the algorithm specified in sections 6.1.3 and 6.1.3.3. If the requester submitted an nTSecurityDescriptor attribute as part of the Add request, that attribute MUST be excluded for the purpose of creating DefaultSD.

  4. Check if the requester is granted explicit WRITE_DAC permission on DefaultSD. Explicit means that WRITE_DAC MUST be granted due to the presence of least one access-allowed ACE in the SD, and not due to the requester being an Owner in the DefaultSD.

  5. If the requester is granted explicit WRITE_DAC permission on DefaultSD, this check succeeds with no further processing.

  6. If the requester is not granted explicit WRITE_DAC permission on DefaultSD, and the requester submitted an nTSecurityDescriptor attribute as part of the Add request, and implicit Owner rights are blocked, as specified in section 6.1.3.5, and the server returns an error.

  7. Let A be the set of attributes included in the requester’s Add request. Remove from A any attributes that are configured in the schema as either systemMustContain or mustContain attributes for the object class being created.

  8. Remove from A the unicodePwd or userPassword attributes if present.

  9. If A is empty, this check succeeds with no further processing.

  10. If A is non-empty, perform an access check operation against DefaultSD as if the requester was trying to modify the attributes contained in A, using the steps specified in section 3.1.1.5.3.1. If this access check fails, the server returns an error.

  11. If processing reaches this point where the server returns no error, the check succeeds.

5 This new process for authorizing attributes for the Add operation is supported by the operating systems specified in [MSFT-CVE-2021-42291], each with its related MSKB article download installed.