3.1.1.5.3.3 Processing Specifics

The following processing rules apply to the modify operation:

  • If a value of the entryTTL attribute is specified in the modify request, it is processed as follows:

    • If the value of the entryTTL attribute is less than the DynamicObjectMinTTL LDAP setting, then the entryTTL attribute is set to the value of the DynamicObjectMinTTL setting.

    • The current system time, plus the entryTTL attribute interpreted as seconds, is written into the msDS-Entry-Time-To-Die attribute.

  • If the modify assigns a value to an FPO-enabled attribute (section 3.1.1.5.2.3) of the existing object, and the DN value in the modify request has <SID=stringizedSid> format (section 3.1.1.3.1.2.4), then the DC creates a corresponding foreignSecurityPrincipal object in the Foreign Security Principals Container (section 6.1.1.4.10) and assigns a reference to the new foreignSecurityPrincipal object as the FPO-enabled attribute value. [MS-SAMR] section 3.1.1.8.9 specifies the creation of the foreignSecurityPrincipal object.

  • If the msDS-UpdateScript attribute is changed in an originating update of the Partitions container, then the msDS-ExecuteScriptPassword value is removed from the Partitions container. The msDS-UpdateScript and msDS-ExecuteScriptPassword attributes are for server-to-server replication implementation only; the client does not interpret them. These attributes MAY have meaning to applicable Windows Server releases, but the meaning is not significant to Windows clients.

  • If the objectClass value is updated, then additional operations are performed (see ObjectClass Updates (section 3.1.1.5.3.5) for more details).

  • In AD DS, if the wellKnownObjects value is updated, then additional operations are performed (see wellKnownObjects Updates (section 3.1.1.5.3.6) for more details).

  • In AD LDS, if a password value (unicodePwd or userPassword) is modified on a bind proxy, then the password operation is "forwarded" to Windows as follows:

    • The objectSid on the bind proxy object is resolved to a Windows user object.

    • A DC hosting the Windows user's domain is discovered.

    • The currently bound user is impersonated.

    • For a change password operation, the NetUserChangePassword API is invoked with the new and old password values.

    • For a reset password operation, then NetUserSetInfo(level=1003) API is invoked with the new password value.

    • The currently bound user is unimpersonated.

      If any of the operations above fail, then the modify returns unwillingToPerform. This processing rule is not supported by Active Directory Application Mode (ADAM) RTW DCs.

  • In AD DS, if the msDS-AdditionalDnsHostName attribute is modified, additional operations are performed as follows. These steps assume the value(s) added or deleted are in the form anyDnsLabel.suffix:

    • For each msDS-AdditionalDnsHostName attribute value that is being added, the server MUST add a value to the msDS-AdditionalSamAccountName attribute in the format ‘anyDnsLabel$’.

      • Windows Server 2016 operating system, Windows Server 2019 operating system and later, and Windows Server v1903 operating system without [MSKB-4505903] installed, will add the ‘anyDnsLabel$’ value to the msDS-AdditionalDnsHostName attribute.

    • For each msDS-AdditionalDnsHostName value that is being removed, the server MUST check for a corresponding ‘anyDnsLabel$’ value in the msDS-AdditionalSamAccountName attribute, and if found, remove it.

  • In AD LDS, if the pwdLastSet attribute is set to -1 (that is, an unexpire-password operation is performed), then the current time is written as the value of the pwdLastSet attribute.

  • For originating updates, additional operations might be performed if the object being modified is a SAM-specific object (section 3.1.1.5.2.3); [MS-SAMR] section 3.1.1.8 specifies these additional operations.

  • Additional operations might be performed if the object being modified is a schema object (section 3.1.1.5.2.3); the additional operations are specified in section 3.1.1.2.5.

  • If link attribute values that refer to deleted-objects are not visible to the update operation (section 3.1.1.3.4.1.25), and the update operation is a complete removal of a link attribute, all existing values of the attribute are removed, including values that refer to deleted-objects. Note that if the update operation is an explicit list of attributes to be removed rather than a directive to completely remove the attribute, then no values that refer to deleted-objects are removed.

  • If link attribute values that refer to deleted-objects are not visible to the update operation (section 3.1.1.3.4.1.25), and the update operation is a complete replacement of a link attribute, all existing values of the attribute including values that refer to deleted-objects are removed before any new values specified by the replacement are added.

  • If link attribute values that refer to deleted-objects are not visible to the update operation (section 3.1.1.3.4.1.25), and the update operation is the addition of a value to a single-valued attribute, and all existing values of the attribute refer to deleted-objects, then all existing values of the attribute (including values that refer to deleted-objects) are removed before the new value is added.

  • In AD LDS, if an originating update is made to the unicodePwd or userPassword attribute on a bind proxy (section 3.1.1.8.2):

    • Let V be the value of the objectSid attribute from the bind proxy.

    • If the modify request specified a password reset (section 3.1.1.3.1.5), pass the password update operation to the host operating system as a request to update the password of a principal whose SID is V with the new password supplied in the modify request.

    • If the modify request specified a password change (section 3.1.1.3.1.5), pass the password update request operation to the host operating system as a request to update the password of a principal whose SID is V and whose current password is the old password specified in the modify request. That principal's password is to be changed to the new password specified in the modify request.