procedure ExpandShadowPrincipal(
     InputSids: ARRAY(SID),
     ExpandedSids: ARRAY(SID),
     MaxValidityTimeHint: LARGE_INTEGER) : NTSTATUS

InputSids: An array of SIDs to be expanded.

ExpandedSids: Returns the set of expanded SIDs.

MaxValidityTimeHint: Returns the smallest expiration timestamp of all memberships returned in ExpandedSids, or zero if all memberships are persistent.

Return Values: This procedure returns STATUS_SUCCESS ([MS-ERREF] section 2.3.1) to indicate success; otherwise, an NTSTATUS error code.

Note In the following logical processing, the GUID of the Privileged Access Management optional feature is defined in section

Logical Processing:

 v,u,w : DSName;
 ShadowPrincipalContainer : DSName;
 nameSet : set of DSName;
 pamFeatureGuid: GUID;
 MaxValidityTimeHint := 0;
 /* Check if the feature is enabled */
 pamFeatureGuid := GUID of the Privileged Access Management optional feature;
 if (!IsOptionalFeatureEnabled(DSName of Cross-Ref-Container, pamFeatureGuid))
   ExpandedSids := {};
   MaxValidityTimeHint := 0;
 /* Get the name of the shadow principal container */
 ShadowPrincipalContainer := "CN=Shadow Principal Configuration,CN=Services" ShadowPrincipalContainer := ShadowPrincipalContainer + dc.configNC
 /* Check if each SID is a member of any shadow principals */
 foreach v in InputSids
   nameSet := select all w from children ShadowPrincipalContainer where 
     (w!member := v) and 
     (w!objectClass := msDS-ShadowPrincipal)
   /* For each shadow principal, add its shadow principal SID to the output */
   foreach u in nameSet 
      if (!(u!msDS-ShadowPrincipalSid in ExpandedSids)) 
        ExpandedSids := ExpandedSids + u!msDS-ShadowPrincipalSid
 if ((minimum TTL of all memberships returned in ExpandedSids) > 0)
       MaxValidityTimeHint := (minimum TTL of all memberships
                            returned in ExpandedSids);