3.1.1.5.2.2 Constraints

msdn link

The following constraints are enforced for originating update Add operations. If any of these constraints are not satisfied, the server returns an error.

These constraints are not enforced for replicated updates.

  • The object DN value is a syntactically valid DN (see LDAP, section 3.1.1.3). If it is not, Add returns namingViolation / ERROR_DS_NAME_UNPARSEABLE.

  • If instanceType attribute value is specified, then the following constraints MUST be satisfied:

    • If the DC functional level is DS_BEHAVIOR_WIN2000, then multiple integer values are permitted. However, if the DC functional level is DS_BEHAVIOR_WIN2003 or greater, then there MUST be exactly one integer value; otherwise Add returns unwillingToPerform / ERROR_DS_BAD_INSTANCE_TYPE.

    • If the instanceType value has IT_NC_HEAD bit set, then IT_WRITE MUST be set. If this is the case, then this operation is considered to be an NC-Add operation, and additional constraints and processing specifics apply (see NC-Add Operation (section 3.1.1.5.2.8) for details).

    • If IT_NC_HEAD is set, but IT_WRITE is not set, Add returns unwillingToPerform / ERROR_DS_ADD_REPLICA_INHIBITED.

    • If IT_NC_HEAD is not set in the value, and the DC functional level is DS_BEHAVIOR_WIN2003 or greater, then the only allowed values are zero and IT_WRITE; otherwise Add returns unwillingToPerform / ERROR_DS_BAD_INSTANCE_TYPE.

  • If the operation is not NC-Add, then the parent object MUST be in an NC whose full replica is hosted at this DC; otherwise referral / ERROR_DS_REFERRAL is returned.

  • If the operation is not NC-Add, then the parent object MUST be present in the directory. The parent DN is computed from the passed-in DN value by removing the first RDN label. If the parent object is not found in the directory, then noSuchObject / ERROR_DS_OBJ_NOT_FOUND is returned.

  • At least one objectClass value MUST be specified. Otherwise, Add returns objectClassViolation / ERROR_DS_OBJECT_CLASS_REQUIRED.

  • The objectClass attribute MUST be specified only once in the input attribute list. Otherwise, Add returns attributeOrValueExists / ERROR_DS_ATT_ALREADY_EXISTS if the DC functional level is DS_BEHAVIOR_WIN2000, and objectClassViolation / ERROR_DS_ILLEGAL_MOD_OPERATION if the DC functional level is DS_BEHAVIOR_2003 or greater.

  • All objectClass values correspond to classes that are defined and active in the schema.

    • If a defunct class is referenced, then Add returns objectClassViolation / ERROR_DS_OBJ_CLASS_NOT_DEFINED if the DC functional level is DS_BEHAVIOR_2003 or lower, and noSuchAttribute / ERROR_INVALID_PARAMETER if the DC functional level is DS_BEHAVIOR_WIN2008 or greater.

    • If the objectClass does not exist in the schema, Add returns noSuchAttribute / ERROR_INVALID_PARAMETER.

  • The set of non-auxiliary objectClass values defines a (possibly incomplete) inheritance chain with a single, most specific structural objectClass or a single 88 object class. If this is not TRUE, Add returns objectClassViolation / ERROR_DS_OBJ_CLASS_NOT_SUBCLASS.

  • If the forest functional level is DS_BEHAVIOR_WIN2003 or higher, then auxiliary classes can be included while setting the value for the objectClass attribute. If the forest functional level is lower than DS_BEHAVIOR_WIN2003, then including auxiliary classes while setting the value of the objectClass attribute results in unwillingToPerform / ERROR_DS_NOT_SUPPORTED being returned by the server.

  • If the fschemaUpgradeInProgress field is FALSE on the LDAPConnection instance in dc.ldapConnections ([MS-DRSR] section 5.116) corresponding to the LDAP connection on which the operation is being performed and the structural objectClass or the 88 object class is not marked as systemOnly, then Add returns unwillingToPerform / ERROR_DS_CANT_ADD_SYSTEM_ONLY.

  • The objectClass’s objectClassCategory is either 0 (88 object class) or 1 (structural object class). If it is not, Add returns unwillingToPerform / ERROR_DS_CLASS_MUST_BE_CONCRETE.

  • The structural objectClass is not a Local Security Authority (LSA)–specific object class (section 3.1.1.5.2.3). If it is, Add returns unwillingToPerform / ERROR_DS_CANT_ADD_SYSTEM_ONLY.

  • If the structural objectClass is crossRef, then crossRef requirements (section 3.1.1.5.2.7), as well as NC naming requirements (section 3.1.1.5.2.6), are enforced.

  • It is disallowed to create objects with duplicate RDN values under the same parent container. See section 3.1.1.3.1.2.1 for more information.

  • All attribute names/OIDs refer to attributes that are defined and active in the schema. If an unknown or defunct attribute is referenced, Add returns noSuchAttribute / ERROR_INVALID_PARAMETER.

  • Object quota requirements are satisfied for the requester in the NC where the object is being added (see section 3.1.1.5.2.5).

  • The objectClass being created satisfies the possSuperiors schema constraint (section 3.1.1.2) for the objectClass of the parent object. Otherwise, objectClassViolation / ERROR_DS_ILLEGAL_SUPERIOR is returned if the DC functional level is DS_BEHAVIOR_WIN2000, and namingViolation / ERROR_DS_ILLEGAL_SUPERIOR is returned if the DC functional level is DS_BEHAVIOR_WIN2003 or greater.

  • The set of attributes provided for object creation is consistent with the schema as described in section 3.1.1.5.1.1.

  • If the requester has supplied a value for the RDN attribute, then it matches the first label of the supplied DN value in both attribute type and attribute value, according to the LDAP Unicode string comparison rules in section 3.1.1.3.

  • The RDN value satisfies schema constraints (rangeLower/rangeUpper, single-valuedness, syntax, and so on).

  • If a site object is being created, then the RDN value is a valid DNS name label (according to the DNS RFC [RFC1035]). Otherwise, invalidDNSyntax / ERROR_DS_BAD_NAME_SYNTAX is returned.

  • If a subnet object is being created, then the RDN value MUST be a valid subnet object name, according to the algorithm described in section 6.1.1.2.2.2.1. Otherwise, invalidDNSyntax / ERROR_DS_BAD_NAME_SYNTAX is returned.

  • In the following two cases, the requester specifies the objectGUID or the objectSid during Add:

    • The requester is allowed to specify the objectGUID if the following five conditions are all satisfied:

    • The requester is required to specify the objectSid when creating a bind proxy object (section 3.1.1.8.2) in an AD LDS NC. The objectSid value specified for a bind proxy object MUST be resolvable by the machine running the AD LDS DC to an active Windows user. If the SID cannot be resolved to an active Windows user, Add returns unwillingToPerform / ERROR_DS_SECURITY_ILLEGAL_MODIFY. If the requester-specified objectSid value is present on an existing object in the same NC, Add returns unwillingToPerform / ERROR_DS_SECURITY_ILLEGAL_MODIFY.

      In all other cases, it is an error (unwillingToPerform / ERROR_DS_SECURITY_ILLEGAL_MODIFY) for the requester to specify the objectGUID or objectSid during Add; these values are automatically generated (as specified in section 3.1.1.5.2.4, “Processing Specifics”) by the system as required.

  • If the requester has specified an owner using the LDAP_SERVER_SET_OWNER_OID LDAP control and has specified a value for the nTSecurityDescriptor, the owner in the security descriptor is set to the owner supplied by the control. Any other portions of the security descriptor are unchanged. The resultant value is a valid security descriptor value in self-relative format, and it satisfies the security descriptor constraints (see “Security Descriptor Requirements” in section 6.1.3).

  • If the requester has specified an owner using the LDAP_SERVER_SET_OWNER_OID LDAP control but has not specified a value for nTSecurityDescriptor, a new value for nTSecurityDescriptor is created: a security descriptor with the owner set to the owner supplied by the control. No other portions of the security descriptor are valid. The resultant value is a valid security descriptor value in self-relative format, and it satisfies the security descriptor constraints (see “Security Descriptor Requirements” in section 6.1.3).

  • If the requester has not specified an owner using the LDAP_SERVER_SET_OWNER_OID LDAP control but has specified a value for nTSecurityDescriptor, the value is a valid security descriptor value in self-relative format, and it satisfies the security descriptor constraints (see “Security Descriptor Requirements” in section 6.1.3).

  • If the requester has specified a value for the objectCategory attribute, then it points to an existing classSchema object in the schema container.

  • If the requester has specified a value for the servicePrincipalName attribute, then it is a syntactically valid SPN (2) value (see section 5.1.1.4, “Mutual Authentication”).

  • If the requester has specified values for the servicePrincipalName or userPrincipalName attributes, those values MUST meet the constraints specified in section 3.1.1.5.1.3.

  • If the DC functional level is DS_BEHAVIOR_WIN2003 or greater and the msDS-Entry-Time-To-Die attribute is set, then the objectClass value includes the dynamicObject auxiliary class.

  • If the DC functional level is DS_BEHAVIOR_WIN2003 or greater, then it is disallowed for a non-dynamicObject child to be created under a dynamicObject parent (see section 6.1.7). If this constraint is violated, then unwillingToPerform / ERROR_DS_UNWILLING_TO_PERFORM is returned.

  • If the DC functional level is DS_BEHAVIOR_WIN2008 or greater, the following constraints are enforced on objects of class msDS-PasswordSettings:

    • The msDS-PasswordHistoryLength attribute is less than or equal to 1024.

    • The msDS-MinimumPasswordAge attribute is less than or equal to 0.

    • The msDS-MaximumPasswordAge attribute is less than or equal to 0.

    • The msDS-MaximumPasswordAge attribute is less than the value of the msDS-MinimumPasswordAge attribute on the same object after the Add would have completed.

    • The msDS-MinimumPasswordLength attribute is less than or equal to 256.

    • The msDS-LockoutDuration attribute is less than or equal to 0.

    • The msDS-LockoutObservationWindow attribute is less than or equal to 0.

    • The msDS-LockoutDuration attribute is less than or equal to the value of the msDS-LockoutObservationWindow attribute on the same object after the Add would have completed.

      Otherwise, unwillingToPerform / ERROR_DS_SECURITY_ILLEGAL_MODIFY is returned.

  • An AD LDS security principal object (section 5.1.1.5) can be created in an application NC. In addition, if the ADAMAllowADAMSecurityPrincipalsInConfigPartition configurable setting (section 3.1.1.3.4.7) is supported and equals 1, an AD LDS security principal object can also be created in the config NC. An AD LDS security principal object can never be created in the schema NC.

  • In AD LDS, if the LDAP policy ADAMDisablePasswordPolicies does not equal 1, and a password value (either unicodePwd or userPassword) is specified in an Add, the password MUST satisfy the current password policy in effect on the AD LDS server as reported by SamrValidatePassword ([MS-SAMR] section 3.1.5.13.7). If the provided password value does not satisfy the password policy, the Add returns constraintViolation / ERROR_PASSWORD_RESTRICTION.

  • In AD LDS, if the fAllowPasswordOperationsOverNonSecureConnection heuristic of the dSHeuristics attribute (see section 6.1.1.2.4.1.2) is not TRUE, and a password value (either unicodePwd or userPassword) is specified in an Add, the LDAP connection MUST be encrypted with cipher strength of at least 128 bits. If the connection does not pass the test, the Add returns operationsError / ERROR_DS_ILLEGAL_MOD_OPERATION.

  • In AD LDS, if the userPrincipalName value is specified in an Add, then the value MUST be unique within all NCs on this DC. If another object exists with the same userPrincipalName value, the Add returns attributeOrValueExists / ERROR_DS_NAME_NOT_UNIQUE.

  • In AD LDS, the following attributes are disallowed in an Add: badPwdCount, badPasswordTime, lastLogonTimestamp, pwdLastSet. If one of these attributes is specified in an add, the Add returns constraintViolation / ERROR_DS_ATTRIBUTE_OWNED_BY_SAM.

  • In AD DS, the following attributes are disallowed in an Add for objects of class user: badPasswordTime, badPwdCount, dBCSPwd, isCriticalSystemObject, lastLogoff, lastLogon, lastLogonTimestamp, lmPwdHistory, logonCount, memberOf, msDS-User-Account-Control-Computed, ntPwdHistory, objectSid, rid, sAMAccountType, and supplementalCredentials. If one of these attributes is specified in an Add, the Add returns unwillingToPerform / ERROR_DS_ATTRIBUTE_OWNED_BY_SAM.

  • In AD DS, the following attributes are disallowed in an Add for objects of class group: isCriticalSystemObject, memberOf, objectSid, rid, sAMAccountType, and userPassword. If one of these attributes is specified in an Add, the Add returns unwillingToPerform / ERROR_DS_ATTRIBUTE_OWNED_BY_SAM.

  • In AD DS, the following attributes are disallowed in an Add for an object whose class is not a SAM-specific object class (see 3.1.1.5.2.3): isCriticalSystemObject, lmPwdHistory, ntPwdHistory, objectSid, samAccountName, sAMAccountType, supplementalCredentials, and unicodePwd. If one of these attributes is specified in an Add, the Add returns unwillingToPerform / ERROR_DS_ILLEGAL_MOD_OPERATION.

  • Additional constraints are enforced if the object being created is a SAM-specific object (section 3.1.1.5.2.3); [MS-SAMR] section 3.1.1.6 specifies these constraints.

  • Additional constraints are enforced if the object being created is a schema object (section 3.1.1.5.2.3). See section 3.1.1.2, “Active Directory Schema”, for more details.

  • In the case of Windows Server 2008 R2 operating system and later, if the object being created is a computer object and all of the following conditions hold TRUE:

    • The requester does not have RIGHT_DS_CREATE_CHILD access on the Container-Object object.

    • The RpcImpersonationAccessToken.Privileges[] field has the SE_MACHINE_ACCOUNT_NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1).

    Then these constraints apply:

    • Following is the list of allowed and required attributes that MUST be specified:

      • dNSHostName

      • servicePrincipalName

      • userAccountControl

      • unicodePwd*

      • objectClass

      • sAMAccountName

        *If the account is created with UF_ACCOUNTDISABLE set in userAccountControl, unicodePwd is not required.

    • Iterate over the list of attributes specified in the request:

      • If the attribute is not in the preceding list of required attributes, the Add returns ERROR_DS_MISSING_REQUIRED_ATT.

      • If the attribute is userAccountControl and the UF_WORKSTATION_TRUST_ACCOUNT bit is not set or any bit other than UF_WORKSTATION_TRUST_ACCOUNT | UF_ACCOUNTDISABLE is set, Add returns ERROR_DS_SECURITY_ILLEGAL_MODIFY.

      • If the attribute is unicodePwd and the value is of zero length and userAccountControl is either not in the list of attributes in the request or is present but the bit UF_ACCOUNTDISABLE is not set, Add returns ERROR_DS_SECURITY_ILLEGAL_MODIFY.

      • If the attribute unicodePwd is not found in the request and the UF_ACCOUNTDISABLE bit is not set in userAccountControl, the Add returns ERROR_DS_MISSING_REQUIRED_ATT.

      • If the attribute is dNSHostName and its value does not conform to the requirements stated in section 3.1.1.5.3.1.1.2, the Add returns ERROR_DS_INVALID_ATTRIBUTE_SYNTAX.

      • If the attribute is servicePrincipalName and its value does not conform to the requirements stated in section 3.1.1.5.3.1.1.4, the Add operation returns ERROR_DS_INVALID_ATTRIBUTE_SYNTAX.

  • If the object being created is a computer object and the requester has RIGHT_DS_CREATE_CHILD access, the following constraints apply:

    • If the userAccountControl attribute is not specified, then the default bit will be set to UF_WORKSTATION_TRUST_ACCOUNT.

    • If the userAccountControl attribute is specified and does not contain UF_USER_NORMAL_ACCOUNT, UF_USER_INTERDOMAIN_TRUST_ACCOUNT,  UF_WORKSTATION_TRUST_ACCOUNT, or UF_SERVER_TRUST_ACCOUNT, then the default bit will be set to UF_WORKSTATION_TRUST_ACCOUNT.

    • If the userAccountControl attribute is specified and does not contain UF_WORKSTATION_TRUST_ACCOUNT or UF_SERVER_TRUST_ACCOUNT, the Add operation returns ERROR_DS_SECURITY_ILLEGAL_MODIFY.

    Note: When a computer object is being created and the requester has RIGHT_DS_CREATE_CHILD access, the constraints that apply are supported by the operating systems specified in [MSFT-CVE-2021-42278], each with its related MSKB article download installed. This feature is also supported in Windows 11, version 22H2 operating system and later.