7 Appendix B: Product Behavior

msdn link

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

The following tables show the relationships between Microsoft product versions or supplemental software and the roles they perform.

Windows Client releases

Client role

Server role

Windows NT operating system

Yes

Yes

Windows 2000 Professional operating system

Yes

Yes

Windows XP operating system

Yes

Yes

Windows Vista operating system

Yes

Yes

Windows 7 operating system

Yes

Yes

Windows 8 operating system

Yes

Yes

Windows 8.1 operating system

Yes

Yes

Windows 10 operating system

Yes

Yes

Windows 11 operating system

Yes

Yes

Windows Server releases

Client role

Server role

Windows NT

Yes

Yes

Windows 2000 Server operating system

Yes

Yes

Windows Server 2003 operating system

Yes

Yes

Windows Server 2003 for Small Business Server 2003

Yes

Yes

Windows Server 2003 R2 operating system

Yes

Yes

Windows Server 2008 operating system

Yes

Yes

Windows Server 2008 R2 operating system

Yes

Yes

Windows Server 2012 operating system

Yes

Yes

Windows Server 2012 R2 operating system

Yes

Yes

Windows Server 2016 operating system

Yes

Yes

Windows Server operating system

Yes

Yes

Windows Server 2019 operating system

Yes

Yes

Windows Server 2022 operating system

Yes

Yes

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.1: By default, the "\PIPE\lsarpc" endpoint allows anonymous access on Windows NT 3.1 operating system, Windows NT 3.5 operating system, Windows NT 3.51 operating system, Windows NT 4.0 operating system, Windows 2000 operating system, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista RTM. Anonymous access to this pipe is removed by default on Windows Vista operating system with Service Pack 1 (SP1) and later and Windows Server 2008 and later in both the non-domain controller configuration and the read-only domain controller configuration. The pipe access check happens before any other access check; therefore, it overrides any other access.

<2> Section 2.1: Windows implementations of the client and server role for this protocol use the tamper-resistance functionality provided by SMB transport on the products that are available, and are enabled as specified in [MS-SMB] section 3.1.1.1 (the MessageSigningPolicy parameter), and [MS-SMB2] section 3.1.1.1 (the RequireMessageSigning parameter).

<3> Section 2.1: If an implementation of the client role violates this specification and uses the RPC-provided security-support-provider mechanism for the RPC connection to a Windows implementation, Windows processes all messages as specified in section 3.1 (that is, there is no change in message processing behavior), except for the messages that use encryption specified in section 5.1. During encryption and decryption, Windows implementations for the server role use a hard-coded key instead of the SMB transport–provided session key. The hard-coded key is represented below as bytes in hexadecimal form.

"53 79 73 74 65 6d 4c 69-62 72 61 72 79 44 54 43"

<4> Section 2.1: The Windows implementation of the server role for this protocol supports the RPC-provided security-support-provider mechanisms, as specified in [MS-RPCE] section 3.2.1.4.1. The following security-support providers are registered by the responder.

Windows version

Security support provider registered

Windows NT and Windows 2000 Professional and later

RPC_C_AUTHN_WINNT

Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later

RPC_C_AUTHN_WINNT

On the domain controllers the following are also supported:

RPC_C_AUTHN_GSS_KERBEROS

RPC_C_AUTHN_GSS_NEGOTIATE

<5> Section 2.1: Servers running Windows 2000, Windows XP, and Windows Server 2003 accept calls at any authentication level. Without [MSKB-3149090] installed, servers running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 v1507 operating system, or Windows 10 v1511 operating system also accept calls at any authentication level.

<6> Section 2.1: The server implementation of this protocol in Windows 2000 and earlier does not enforce a limit. The limit in Windows XP and Windows Server 2003 is 4 MB.

<7> Section 2.2: Data type fields that are described as "Reserved" or "MUST be ignored" are sent as 0 (or NULL in the case of pointers) by the Windows implementation of the protocol client, and are ignored upon receipt by the Windows implementation of the protocol server.

<8> Section 2.2:  Windows operating systems that support the current security updates to this protocol via the installation of KB articles are specified in [MSFT-CVE-2022-21913], immediately following its publication.

<9> Section 2.2: The following table is a timeline of when each structure, data type, or enumeration was introduced. All structures, data types, and enumerations listed in the table continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.

Data type

Product

LSAPR_HANDLE (section 2.2.2.1)

Windows NT 3.1

STRING (section 2.2.3.1)

Windows NT 3.1

LSAPR_ACL (section 2.2.3.2)

Windows NT 3.1

SECURITY_DESCRIPTOR_CONTROL (section 2.2.3.3)

Windows NT 3.1

LSAPR_SECURITY_DESCRIPTOR (section 2.2.3.4)

Windows NT 3.1

SECURITY_IMPERSONATION_LEVEL (section 2.2.3.5)

Windows NT 3.1

SECURITY_CONTEXT_TRACKING_MODE (section 2.2.3.6)

Windows NT 3.1

SECURITY_QUALITY_OF_SERVICE (section 2.2.3.7)

Windows NT 3.1

LSAPR_OBJECT_ATTRIBUTES (section 2.2.2.4)

Windows NT 3.1

ACCESS_MASK (section 2.2.1.1)

Windows NT 3.1

SECURITY_INFORMATION (section 2.2.1.3)

Windows NT 3.1

LSAPR_POLICY_PRIVILEGE_DEF (section 2.2.8.1)

Windows NT 3.1

LSAPR_PRIVILEGE_ENUM_BUFFER (section 2.2.8.2)

Windows NT 3.1

LSAPR_ACCOUNT_INFORMATION (section 2.2.5.1)

Windows NT 3.1

LSAPR_ACCOUNT_ENUM_BUFFER (section 2.2.5.2)

Windows NT 3.1

POLICY_SYSTEM_ACCESS_CODE (section 2.2.1.2)

Windows NT 3.1

LSA_UNICODE_STRING (section 2.2.2.3)

Windows NT 3.1

LSAPR_TRUST_INFORMATION (section 2.2.7.1)

Windows NT 3.1

LSAPR_TRUSTED_DOMAIN_INFORMATION_BASIC (section 2.2.7.8)

Windows NT 3.1

LSAPR_SR_SECURITY_DESCRIPTOR (section 2.2.2.5)

Windows NT 3.1

POLICY_INFORMATION_CLASS (section 2.2.4.1)

Windows NT 3.1

POLICY_AUDIT_LOG_INFO (section 2.2.4.3)

Windows NT 3.1

LSAPR_POLICY_AUDIT_EVENTS_INFO (section 2.2.4.4)

Windows NT 3.1

LSAPR_POLICY_PRIMARY_DOM_INFO (section 2.2.4.5)

Windows NT 3.1

LSAPR_POLICY_ACCOUNT_DOM_INFO (section 2.2.4.6)

Windows NT 3.1

LSAPR_POLICY_PD_ACCOUNT_INFO (section 2.2.4.7)

Windows NT 3.1

POLICY_LSA_SERVER_ROLE (section 2.2.4.8)

Windows NT 3.1

POLICY_LSA_SERVER_ROLE_INFO (section 2.2.4.9)

Windows NT 3.1

LSAPR_POLICY_REPLICA_SRCE_INFO (section 2.2.4.10)

Windows NT 3.1

POLICY_MODIFICATION_INFO (section 2.2.4.11)

Windows NT 3.1

POLICY_AUDIT_FULL_SET_INFO (section 2.2.4.12)

Windows NT 3.1

POLICY_AUDIT_FULL_QUERY_INFO (section 2.2.4.13)

Windows NT 3.1

LSAPR_POLICY_DNS_DOMAIN_INFO (section 2.2.4.14)

Windows NT 3.1

LSAPR_POLICY_INFORMATION (section 2.2.4.2)

Windows 2000

LSAPR_TRUSTED_ENUM_BUFFER (section 2.2.7.19)

Windows NT 3.1

LSAPR_PRIVILEGE_SET (section 2.2.5.5)

Windows NT 3.1

TRUSTED_INFORMATION_CLASS (section 2.2.7.2)

Windows NT 3.1

LSAPR_TRUSTED_DOMAIN_INFO (section 2.2.7.3)

Windows NT 3.1

LSAPR_TRUSTED_DOMAIN_NAME_INFO (section 2.2.7.4)

Windows NT 3.1

LSAPR_TRUSTED_CONTROLLERS_INFO (section 2.2.7.5)

Windows NT 3.1

TRUSTED_POSIX_OFFSET_INFO (section 2.2.7.6)

Windows NT 3.1

LSAPR_TRUSTED_PASSWORD_INFO (section 2.2.7.7)

Windows NT 3.1

LSAPR_CR_CIPHER_VALUE (section 2.2.6.1)

Windows NT 3.51

LSAPR_USER_RIGHT_SET (section 2.2.5.3)

Windows NT 3.1

POLICY_DOMAIN_INFORMATION_CLASS (section 2.2.4.15)

Windows NT 3.51

LSAPR_POLICY_DOMAIN_INFORMATION (section 2.2.4.16)

Windows 2000

LSAPR_POLICY_DOMAIN_EFS_INFO (section 2.2.4.18)

Windows 2000

LSAPR_DOMAIN_KERBEROS_TICKET_INFO (section 2.2.4.19)

Windows 2000

LSAPR_TRUSTED_DOMAIN_INFORMATION_EX (section 2.2.7.9)

Windows 2000

LSAPR_TRUSTED_DOMAIN_INFORMATION_EX2 (section 2.2.7.10)

Windows 2000

LSAPR_AUTH_INFORMATION (section 2.2.7.17)

Windows XP and Windows Server 2003

LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION (section 2.2.7.11)

Windows 2000

LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16)

Windows 2000

LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL (section 2.2.7.12)

Windows 2000

LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION (section 2.2.7.13)

Windows 2000

LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION_INTERNAL (section 2.2.7.14)

Windows 2000

LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION2 (section 2.2.7.15)

Windows XP and Windows Server 2003

LUID ([MS-DTYP] section 2.3.7)

Windows NT 3.1

TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES (section 2.2.7.18)

Windows Vista and Windows Server 2008

LSAPR_LUID_AND_ATTRIBUTES (section 2.2.5.4)

Windows NT 3.1

LSA_FOREST_TRUST_RECORD_TYPE (section 2.2.7.22)

Windows XP and Windows Server 2003

LSA_FOREST_TRUST_BINARY_DATA (section 2.2.7.23)

Windows XP and Windows Server 2003

LSA_FOREST_TRUST_DOMAIN_INFO (section 2.2.7.24)

Windows XP and Windows Server 2003

LSA_FOREST_TRUST_RECORD (section 2.2.7.21)

Windows XP and Windows Server 2003

LSA_FOREST_TRUST_INFORMATION (section 2.2.7.25)

Windows XP and Windows Server 2003

LSA_FOREST_TRUST_COLLISION_RECORD_TYPE (section 2.2.7.26)

Windows XP and Windows Server 2003

LSA_FOREST_TRUST_COLLISION_RECORD (section 2.2.7.27)

Windows XP and Windows Server 2003

LSA_FOREST_TRUST_COLLISION_INFORMATION (section 2.2.7.28)

Windows XP and Windows Server 2003

LSAPR_POLICY_MACHINE_ACCT_INFO (section 2.2.4.21)

Windows 10 v1803 operating system and Windows Server v1803 operating system

<10> Section 2.2.1.1.2: The following is a timeline of when each access mask was introduced. All access masks continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.

Value

Product

0x00000000

Windows NT 3.1

POLICY_VIEW_LOCAL_INFORMATION

0x00000001

Windows NT 3.1

POLICY_VIEW_AUDIT_INFORMATION

0x00000002

Windows NT 3.1

POLICY_GET_PRIVATE_INFORMATION

0x00000004

Windows NT 3.1

POLICY_TRUST_ADMIN

0x00000008

Windows NT 3.1

POLICY_CREATE_ACCOUNT

0x00000010

Windows NT 3.1

POLICY_CREATE_SECRET

0x00000020

Windows NT 3.1

POLICY_CREATE_PRIVILEGE

0x00000040

Windows NT 3.1

POLICY_SET_DEFAULT_QUOTA_LIMITS

0x00000080

Windows NT 3.1

POLICY_SET_AUDIT_REQUIREMENTS

0x00000100

Windows NT 3.1

POLICY_AUDIT_LOG_ADMIN

0x00000200

Windows NT 3.1

POLICY_SERVER_ADMIN

0x00000400

Windows NT 3.1

POLICY_LOOKUP_NAMES

0x00000800

Windows NT 3.1

POLICY_NOTIFICATION

0x00001000

Windows 2000

<11> Section 2.2.1.1.5: The following is a timeline of when each access mask was introduced. All access masks continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.

Value

Product

TRUSTED_QUERY_DOMAIN_NAME

0x00000001

Windows NT 3.1

TRUSTED_QUERY_CONTROLLERS

0x00000002

Windows NT 3.1

TRUSTED_SET_CONTROLLERS

0x00000004

Windows NT 3.1

TRUSTED_QUERY_POSIX

0x00000008

Windows NT 3.1

TRUSTED_SET_POSIX

0x00000010

Windows NT 3.1

TRUSTED_SET_AUTH

0x00000020

Windows 2000

TRUSTED_QUERY_AUTH

0x00000040

Windows 2000

<12> Section 2.2.1.2: The POLICY_MODE_ALL flag applies to Windows 2000 and later.

<13> Section 2.2.1.2: The POLICY_MODE_ALL_NT4 flag applies to Windows NT 3.1 through Windows NT 4.0.

<14> Section 2.2.1.2: The following is a timeline of when each mode was introduced. All modes continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.

Value

Product

0x00000000

No access

Windows NT 3.1

0x00000001

POLICY_MODE_INTERACTIVE

Windows NT 3.1

0x00000002

POLICY_MODE_NETWORK

Windows NT 3.1

0x00000004

POLICY_MODE_BATCH

Windows NT 3.1

0x00000010

POLICY_MODE_SERVICE

Windows NT 3.1

0x00000020

POLICY_MODE_PROXY

Windows NT 3.1

0x00000040

POLICY_MODE_DENY_INTERACTIVE

Windows 2000

0x00000080

POLICY_MODE_DENY_NETWORK

Windows 2000

0x00000100

POLICY_MODE_DENY_BATCH

Windows 2000

0x00000200

POLICY_MODE_DENY_SERVICE

Windows 2000

0x00000400

POLICY_MODE_REMOTE_INTERACTIVE

Windows XP and Windows Server 2003

0x00000800

POLICY_MODE_DENY_REMOTE_INTERACTIVE

Windows XP and Windows Server 2003

<15> Section 2.2.1.4:  The AES cipher AEAD-AES-256-CBC-HMAC-SHA512 and supporting methods, structures, and processing details that enable AES wire encryption protections of sensitive data with this protocol are supported on the operating systems specified in [MSFT-CVE-2022-21913], each with its related KB article download installed.

<16> Section 2.2.1.5:  Information records for Active Directory domains in trusted forests that are queried and set in this protocol are supported by the operating systems specified in [MSFT-CVE-2022-21857], each with its related KB article download installed.

<17> Section 2.2.2.4: The Windows implementation of the RPC client for this protocol leaves this structure to be filled by a higher-layer application and does not verify the structure's contents except for RootDirectory, which must be NULL.

<18> Section 2.2.2.5: In Windows NT, Windows 2000, Windows XP, and Windows XP operating system Service Pack 1 (SP1), the Windows RPC server and RPC client do not enforce restrictions on the Length field of this structure (using the range primitive specified in [MS-RPCE]).

<19> Section 2.2.2.6:  Available in client versions later than Windows 11, version 23H2 operating system, server versions later than Windows Server 2022, 23H2 operating system, and versions updated with [MSFT-CVE-2024-20692].

<20> Section 2.2.4.1: The following is a timeline of when each enumeration value was introduced. All enumeration values continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.

 Value

 Product

PolicyAuditLogInformation

Windows NT 3.1

PolicyAuditEventsInformation

Windows NT 3.1

PolicyPrimaryDomainInformation

Windows NT 3.1

PolicyPdAccountInformation

Windows NT 3.1

PolicyAccountDomainInformation

Windows NT 3.1

PolicyLsaServerRoleInformation

Windows NT 3.1

PolicyReplicaSourceInformation

Windows NT 3.1

PolicyInformationNotUsedOnWire

Windows NT 3.1

PolicyModificationInformation

Windows NT 3.1

PolicyAuditFullSetInformation

Windows NT 3.1

PolicyAuditFullQueryInformation

Windows NT 3.1

PolicyDnsDomainInformation

Windows 2000

PolicyDnsDomainInformationInt

Windows 2000

PolicyLocalAccountDomainInformation

Windows Vista and Windows Server 2008

PolicyMachineAccountInformation

Windows 10 v1803 and Windows Server v1803

<21> Section 2.2.4.4: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the MaximumAuditEventCount field of this structure (using the range primitive, as specified in [MS-RPCE]).

<22> Section 2.2.4.14: The following applies to Windows 2000 Professional and later and to Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later.

The Windows RPC server always throws an RPC_S_PROCNUM_OUT_OF_RANGE exception for the message processing of LsarQueryInformationPolicy, LsarQueryInformationPolicy2, LsarSetInformationPolicy, and LsarSetInformationPolicy2, if the server is configured to emulate Windows NT 4.0 for PolicyDnsDomainInformation information level.

<23> Section 2.2.4.16: The PolicyDomainQualityOfServiceInformation enumeration value and corresponding POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO structure are parts of LSAPR_POLICY_DOMAIN_INFORMATION only in the Windows 2000 Server implementation of this protocol.

<24> Section 2.2.4.18: Microsoft implementations of the Local Security Authority (Domain Policy) Remote Protocol do not enforce data in EfsBlob to conform to the layout specified in [MS-GPEF] section 2.2.1.2.1.

<25> Section 2.2.5.3: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Entries field of this structure (using the range primitive defined in [MS-RPCE]).

<26> Section 2.2.5.5: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the PrivilegeCount field of this structure (using the range primitive specified in [MS-RPCE]).

<27> Section 2.2.6.1: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Length field of this structure (using the range primitive as specified in [MS-RPCE]).

<28> Section 2.2.6.1: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the MaximumLength field of this structure (using the range primitive defined in [MS-RPCE]).

<29> Section 2.2.6.2:  Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].

<30> Section 2.2.7.2: The following is a timeline of when each enumeration value was introduced. All enumeration values continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.

Value

Product

TrustedDomainNameInformation

Windows NT 3.1

TrustedControllersInformation

Windows NT 3.1

TrustedPosixOffsetInformation

Windows NT 3.1

TrustedPasswordInformation

Windows NT 3.51

TrustedDomainInformationBasic

Windows 2000

TrustedDomainInformationEx

Windows 2000

TrustedDomainAuthInformation

Windows 2000

TrustedDomainFullInformation

Windows 2000

TrustedDomainAuthInformationInternal

Windows 2000

TrustedDomainFullInformationInternal

Windows 2000

TrustedDomainInformationEx2Internal

Windows XP and Windows Server 2003

TrustedDomainFullInformation2Internal

Windows XP and Windows Server 2003

TrustedDomainSupportedEncryptionTypes

Windows Vista and Windows Server 2008

TrustedDomainAuthInformationInternalAes

Windows Server 2008 with [MSFT-CVE-2022-21913]

TrustedDomainFullInformationInternalAes

Windows Server 2008 with [MSFT-CVE-2022-21913]

<31> Section 2.2.7.5: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Entries field of this structure (using the range primitive defined in [MS-RPCE]).

<32> Section 2.2.7.9: The following is a timeline of when each flag value was introduced. Unless otherwise specified, all flag values continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.

Possible value

Value

Product

TANT (TRUST_ATTRIBUTE_NON_TRANSITIVE)

0x00000001

Windows 2000

TAUO (TRUST_ATTRIBUTE_UPLEVEL_ONLY)

0x00000002

Windows 2000

TAQD (TRUST_ATTRIBUTE_QUARANTINED_DOMAIN)

0x00000004

Windows 2000 operating system Service Pack 2 (SP2) and Windows XP

TAFT (TRUST_ATTRIBUTE_FOREST_TRANSITIVE)

0x00000008

Windows XP and Windows Server 2003

TACO (TRUST_ATTRIBUTE_CROSS_ORGANIZATION)

0x00000010

Windows Server 2003 and Windows Vista

TAWF (TRUST_ATTRIBUTE_WITHIN_FOREST)

0x00000020

Windows Server 2003 and Windows Vista

TATE (TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL)

0x00000040

Windows Server 2003 and Windows Vista

TANC (TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION)

0x00000200

Windows 8 and Windows Server 2012 operating system

TAPT (TRUST_ATTRIBUTE_PIM_TRUST)

0x00000400

Windows 10 and Windows Server 2016

(Also supported on Windows 8.1 and Windows Server 2012 R2 if [MSKB-3155495] is installed.)

Obsolete

0x00400000

Introduced in Windows 2000 RTM. Became obsolete in Windows 2000 operating system Service Pack 4 (SP4).

Obsolete

0x00800000

Introduced in Windows 2000 RTM. Became obsolete in Windows 2000 SP4.

<33> Section 2.2.7.11: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008, the Windows RPC server and RPC client do not enforce restrictions on the IncomingAuthInfos field of this structure (using the range primitive defined in [MS-RPCE]).

<34> Section 2.2.7.11: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008, the Windows RPC server and RPC client do not enforce restrictions on the OutgoingAuthInfos field of this structure (using the range primitive defined in [MS-RPCE]).

<35> Section 2.2.7.16: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the AuthSize field of this structure (using the range primitive defined in [MS-RPCE]).

<36> Section 2.2.7.17: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the AuthInfoLength field of this structure (using the range primitive defined in [MS-RPCE]).

<37> Section 2.2.7.23: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Length field of this structure (using the range primitive defined in [MS-RPCE]).

<38> Section 2.2.7.25: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the RecordCount field of this structure (using the range primitive defined in [MS-RPCE]).

<39> Section 3.1.1.1: A Windows responder for this protocol contains the following values for the policy object after setup.

Name

Value

Auditing Log Information

Windows maintains the following hard-coded information about the state of the audit log:

MaximumLogSize = 8192

AuditLogPercentFull = 0

AuditRetentionPeriod = 8533315

AuditLogFullShutdownInProgress = FALSE

TimeToShutdown = 288342

NextAuditRecordId = 0

Audit Full Information

Windows XP and later, and Windows Server 2003 and Windows Server 2003 R2 and later return STATUS_INVALID_PARAMETER for this information class.

Event Auditing Options

On Windows 2000 and Windows XP:

AuditingMode = FALSE

MaximumAuditEventCount = 9

EventAuditingOptions = { 0, 0, 0, 0, 0, 0, 0, 0, 0 }

 On Windows Server 2003 and Windows Server 2003 R2:

AuditingMode = TRUE

 MaximumAuditEventCount = 9

 EventAuditingOptions = { 0, 1, 0, 0, 0, 0, 0, 0, 1 }

 On Windows Vista and later and Windows Server 2008 and later:

 AuditingMode = TRUE

MaximumAuditEventCount = 9

 EventAuditingOptions = { 0, 0, 0, 0, 0, 0, 0, 0, 0 }

Primary Domain Information

Name = <Workgroup Name>

 Sid = NULL

DNS Domain Information

Name = <Workgroup Name>

 DnsDomainName = <Empty String>

 DnsForestName = <Empty String>

 DomainGuid = { 0 }

 Sid = NULL

Account Domain Information

DomainName = <Machine Netbios name> DomainSid = < S-1-5-21-X-Y-Z> where X, Y, Z are random numbers

Server Role Information

LsaServerRole = PolicyServerRolePrimary

Replica Source Information

ReplicaSource=<Empty String>

ReplicaAccountName=<Empty String>

Kerberos Policy Information

<No value>

Encrypting File System (EFS) Policy Information

<No value>

Security Descriptor

The security descriptor in Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, Windows NT 4.0, and Windows 2000 can be expressed in Security Description Definition Language (SDDL), as specified in [MS-DTYP] section 2.5.1, as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)

In Windows XP and in Windows Server 2003 and Windows Server 2003 R2 and later, the security descriptor can be expressed in SDDL as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS)(A;;0x00001000;;;NS)

In Windows Vista and later, the security descriptor can be expressed in SDDL as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS)(A;;0x00001000;;;NS)(A;;0x00001000;;;S-1-5-17)

See sections 2.2.1.1.1 and 2.2.1.1.2 for the definitions of the generic and object-specific access rights, respectively, that are included in these security descriptors.

Machine Account Information

Rid = 0

Sid = NULL

<40> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 do not store this information.

<41> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 do not store this information.

<42> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 do not store this information.

<43> Section 3.1.1.1: Only the Windows 2000 implementation of this protocol stores quality of service information.

<44> Section 3.1.1.1: The security descriptor in Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, Windows NT 4.0, and Windows 2000 can be expressed in Security Description Definition Language (SDDL), as specified in [MS-DTYP] section 2.5.1, as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)

In Windows XP, Windows Server 2003, and Windows Server 2003 R2, the security descriptor can be expressed in SDDL as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS) (A;;0x00001000;;;NS)

In Windows Vista and later and in Windows Server 2008 and later, the security descriptor can be expressed in SDDL as follows:

O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS) (A;;0x00001000;;;NS) (A;;0x00001000;;;S-1-5-17)

See sections 2.2.1.1.1 and 2.2.1.1.2 for the definitions of the generic and object-specific access rights, respectively, that are included in these security descriptors.

<45> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 domain controllers use the Netlogon Remote Protocol, as specified in [MS-NRPC] section 1.3.3, to converge Event Auditing Options abstract data. These versions of Windows do not implement Kerberos Policy Information abstract data.

Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later domain controllers use the Group Policy: Security Protocol Extension, as specified in [MS-GPSB] section 2.2.2 to converge Kerberos Policy Information abstract data and [MS-GPSB] section 2.2.4 to converge Event Auditing Options abstract data.

<46> Section 3.1.1.2.1: The following is a timeline of when each privilege value was introduced. All privilege values continue to be supported in all subsequent versions of Windows according to the applicability lists at the beginning of this section.

 Name

 Product

SE_ASSIGNPRIMARYTOKEN_NAME

"SeAssignPrimaryTokenPrivilege"

Windows NT 3.1

SE_AUDIT_NAME

"SeAuditPrivilege"

Windows NT 3.1

SE_BACKUP_NAME

"SeBackupPrivilege"

Windows NT 3.1

SE_CHANGE_NOTIFY_NAME

"SeChangeNotifyPrivilege"

Windows NT 3.1

SE_CREATE_GLOBAL_NAME

"SeCreateGlobalPrivilege"

Windows 2000 SP4, Windows XP operating system Service Pack 2 (SP2), and Windows Server 2003

SE_CREATE_PAGEFILE_NAME

"SeCreatePagefilePrivilege"

Windows NT 3.1

SE_CREATE_PERMANENT_NAME

"SeCreatePermanentPrivilege"

Windows NT 3.1

SE_CREATE_TOKEN_NAME

"SeCreateTokenPrivilege"

Windows NT 3.1

SE_DEBUG_NAME

"SeDebugPrivilege"

Windows NT 3.1

SE_ENABLE_DELEGATION_NAME

"SeEnableDelegationPrivilege"

Windows 2000

SE_IMPERSONATE_NAME

"SeImpersonatePrivilege"

Windows 2000 SP4, Windows XP SP2, and Windows Server 2003

SE_INC_BASE_PRIORITY_NAME

"SeIncreaseBasePriorityPrivilege"

Windows NT 3.1

SE_INCREASE_QUOTA_NAME

"SeIncreaseQuotaPrivilege"

Windows NT 3.1

SE_LOAD_DRIVER_NAME

"SeLoadDriverPrivilege"

Windows NT 3.1

SE_LOCK_MEMORY_NAME

"SeLockMemoryPrivilege"

Windows NT 3.1

SE_MACHINE_ACCOUNT_NAME

"SeMachineAccountPrivilege"

Windows NT 3.5

SE_MANAGE_VOLUME_NAME

"SeManageVolumePrivilege"

Windows 2000 SP4 and Windows XP

SE_PROF_SINGLE_PROCESS_NAME

"SeProfileSingleProcessPrivilege"

Windows NT 3.1

SE_REMOTE_SHUTDOWN_NAME

"SeRemoteShutdownPrivilege"

Windows NT 3.1

SE_RESTORE_NAME

"SeRestorePrivilege"

Windows NT 3.1

SE_SECURITY_NAME

"SeSecurityPrivilege"

Windows NT 3.1

SE_SHUTDOWN_NAME

"SeShutdownPrivilege"

Windows NT 3.1

SE_SYNC_AGENT_NAME

"SeSyncAgentPrivilege"

Windows 2000

SE_SYSTEM_ENVIRONMENT_NAME

"SeSystemEnvironment"

Windows NT 3.1

SE_SYSTEM_PROFILE_NAME

"SeSystemProfilePrivilege"

Windows NT 3.1

SE_SYSTEMTIME_NAME

"SeSystemtimePrivilege"

Windows NT 3.1

SE_TAKE_OWNERSHIP_NAME

"SeTakeOwnershipPrivilege"

Windows NT 3.1

SE_TCB_NAME

"SeTcbPrivilege"

Windows NT 3.1

SE_UNDOCK_NAME

"SeUndockPrivilege"

Windows NT 3.1

SE_CREATE_SYMBOLIC_LINK_NAME "SeCreateSymbolicLinkPrivilege"

Windows Vista and Windows Server 2008

SE_INC_WORKING_SET_NAME "SeIncreaseWorkingSetPrivilege"

Windows Vista and Windows Server 2008

SE_RELABEL_NAME

"SeRelabelPrivilege"

Windows Vista and Windows Server 2008

SE_TIME_ZONE_NAME "SeTimeZonePrivilege"

Windows Vista and Windows Server 2008

SE_TRUSTED_CREDMAN_ACCESS_NAME "SeTrustedCredManAccessPrivilege"

Windows Vista and Windows Server 2008

<47> Section 3.1.1.2.2: Windows products implement the exact set of system access rights that the protocol supports for a given version. See the Windows behavior note in section 2.2.1.2 for a timeline of the system access introduction.

<48> Section 3.1.1.3: The default security descriptor that is assigned to newly created account objects can be expressed in Security Description Definition Language (SDDL) as O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD).

See section 2.2.1.1.1 for the definitions of the generic access rights that are included in this security descriptor.

<49> Section 3.1.1.3: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 domain controllers use the Netlogon Remote Protocol, as specified in [MS-NRPC] section 1.3.3.

Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later domain controllers use the Group Policy: Security Protocol Extension, as specified in [MS-GPSB] section 2.2.6.

<50> Section 3.1.1.4: The following is a timeline of when each secret name or name pattern was introduced. All secret names and name patterns continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.

Secret name or name pattern

Product

Starts with "G$$"

Windows NT 3.1

Starts with "G$"

Windows NT 3.1

Starts with "L$"

Windows 2000

Starts with "M$"

Windows 2000

Starts with "_sc_"

Windows 2000

Starts with "NL$"

Windows 2000

Starts with "RasDialParams"

Windows 2000

Starts with "RasCredentials"

Windows 2000

Equal to "$MACHINE.ACC"

Windows NT 3.1

Equal to "SAC"

Windows 2000

Equal to "SAI"

Windows 2000

Equal to "SANSC"

Windows 2000

The Trusted Domain Secret type is used only in Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0.

For replication of secrets, Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 use Netlogon-based replication, while Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later use Active Directory replication.

<51> Section 3.1.1.4: By default, the security descriptor assigned to newly created secret objects of type Local Secret can be expressed in Security Description Definition Language (SDDL) as O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD). This security descriptor implies that the secrets are shared between users by default, which means that a secret object created by an administrator is available to another administrator. An implementation can disallow this behavior by assigning a different security descriptor.

See section 2.2.1.1.1 for the definitions of the generic access rights that are included in this security descriptor.

<52> Section 3.1.1.5: The following is a timeline of when each information value was introduced. All information values continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.

 Name

 Product

Name

Windows NT 3.1

Flat Name

Windows 2000

Security Identifier

Windows NT 3.1

Trust Type

Windows 2000

Trust Direction

Windows 2000

Trust Attributes

Windows 2000

Posix Offset

Windows NT 3.1

Trust Incoming Passwords

Windows NT 3.51

Trust Outgoing Passwords

Windows NT 3.51

Forest Trust Information

Windows XP, Windows Server 2003

Supported Encryption Types

Windows Vista, Windows Server 2008

Security Descriptor

Windows NT 3.1

<53> Section 3.1.1.6.1: The default setting value is FALSE for Windows NT, Windows 2000, and Windows XP. The default setting value is TRUE for Windows Server 2003 and Windows Server 2003 R2 and later and for Windows Vista and later.

This setting can be set to FALSE on Windows Server 2003 and Windows Server 2003 R2 and later and on Windows Vista and later by setting a "non-0" value on the following REG_DWORD registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock

Changes made to this setting must take effect immediately.

Note that the Boolean meaning of the TurnOffAnonymousBlock registry value is reversed from that of the LsaRestrictAnonymous setting in section 3.1.1.6.1.

<54> Section 3.1.4: The Windows implementation of this protocol asks the RPC engine to perform a strict Network Data Representation (NDR) data consistency check at target level 5.0 (as specified in [MS-RPCE] section 3) in Windows 2000 Professional and later and in Windows 2000 Server,  Windows Server 2003, and Windows Server 2003 R2 and later.

<55> Section 3.1.4: The Windows implementation of this protocol asks the RPC engine to include support for both NDR and NDR64 transfer syntaxes, in addition to the negotiation mechanism for determining what transfer syntax will be used (as specified in [MS-RPCE] section 3) in Windows XP and later and in Windows Server 2003 and Windows Server 2003 R2 and later.

<56> Section 3.1.4: The Windows implementation of this protocol asks the RPC engine via the strict_context_handle attribute to reject use of context handles created by a method of a different RPC interface from this one, as specified in [MS-RPCE] section 3.

<57> Section 3.1.4: The following is a timeline of when each method was introduced. All methods continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.

 Method

 Product

LsarClose (section 3.1.4.9.4)

Windows NT 3.1

LsarEnumeratePrivileges (section 3.1.4.8.1)

Windows NT 3.1

LsarQuerySecurityObject (section 3.1.4.9.1)

Windows NT 3.1

LsarSetSecurityObject (section 3.1.4.9.2)

Windows NT 3.1

LsarOpenPolicy (section 3.1.4.4.2)

Windows NT 3.1

LsarQueryInformationPolicy (section 3.1.4.4.4)

Windows NT 3.1

LsarSetInformationPolicy (section 3.1.4.4.6)

Windows NT 3.1

LsarCreateAccount (section 3.1.4.5.1)

Windows NT 3.1

LsarEnumerateAccounts (section 3.1.4.5.2)

Windows NT 3.1

LsarCreateTrustedDomain (section 3.1.4.7.12)

Windows NT 3.1

LsarEnumerateTrustedDomains (section 3.1.4.7.8)

Windows NT 3.1

LsarCreateSecret (section 3.1.4.6.1)

Windows NT 3.1

LsarOpenAccount (section 3.1.4.5.3)

Windows NT 3.1

LsarEnumeratePrivilegesAccount (section 3.1.4.5.4)

Windows NT 3.1

LsarAddPrivilegesToAccount (section 3.1.4.5.5)

Windows NT 3.1

LsarRemovePrivilegesFromAccount (section 3.1.4.5.6)

Windows NT 3.1

LsarGetSystemAccessAccount (section 3.1.4.5.7)

Windows NT 3.1

LsarSetSystemAccessAccount (section 3.1.4.5.8)

Windows NT 3.1

LsarOpenTrustedDomain (section 3.1.4.7.1)

Windows NT 3.1

LsarQueryInfoTrustedDomain (section 3.1.4.7.13)

Windows NT 3.1

LsarSetInformationTrustedDomain (section 3.1.4.7.14)

Windows NT 3.1

LsarOpenSecret (section 3.1.4.6.2)

Windows NT 3.1

LsarSetSecret (section 3.1.4.6.3)

Windows NT 3.1

LsarQuerySecret (section 3.1.4.6.4)

Windows NT 3.1

LsarLookupPrivilegeValue (section 3.1.4.8.2)

Windows NT 3.1

LsarLookupPrivilegeName (section 3.1.4.8.3)

Windows NT 3.1

LsarLookupPrivilegeDisplayName (section 3.1.4.8.4)

Windows NT 3.1

LsarDeleteObject (section 3.1.4.9.3)

Windows NT 3.1

LsarEnumerateAccountsWithUserRight (section 3.1.4.5.9)

Windows NT 3.51

LsarEnumerateAccountRights (section 3.1.4.5.10)

Windows NT 3.51

LsarAddAccountRights (section 3.1.4.5.11)

Windows NT 3.51

LsarRemoveAccountRights (section 3.1.4.5.12)

Windows NT 3.51

LsarQueryTrustedDomainInfo (section 3.1.4.7.2)

Windows NT 3.51

LsarSetTrustedDomainInfo (section 3.1.4.7.3)

Windows NT 3.51

LsarDeleteTrustedDomain (section 3.1.4.7.4)

Windows NT 3.51

LsarStorePrivateData (section 3.1.4.6.5)

Windows NT 3.51

LsarRetrievePrivateData (section 3.1.4.6.6)

Windows NT 3.51

LsarOpenPolicy2 (section 3.1.4.4.1)

Windows NT 3.51

LsarQueryInformationPolicy2 (section 3.1.4.4.3)

Windows 2000

LsarSetInformationPolicy2 (section 3.1.4.4.5)

Windows 2000

LsarQueryTrustedDomainInfoByName (section 3.1.4.7.5)

Windows 2000

LsarSetTrustedDomainInfoByName (section 3.1.4.7.6)

Windows 2000

LsarEnumerateTrustedDomainsEx (section 3.1.4.7.7)

Windows 2000

LsarCreateTrustedDomainEx (section 3.1.4.7.11)

Windows 2000

LsarQueryDomainInformationPolicy (section 3.1.4.4.7)

Windows 2000

LsarSetDomainInformationPolicy (section 3.1.4.4.8)

Windows 2000

LsarOpenTrustedDomainByName (section 3.1.4.7.9)

Windows 2000

LsarCreateTrustedDomainEx2 (section 3.1.4.7.10)

Windows 2000

LsarQueryForestTrustInformation (section 3.1.4.7.15)

Windows XP, Windows Server 2003

LsarSetForestTrustInformation (section 3.1.4.7.16)

Windows XP, Windows Server 2003

LsarOpenPolicy3 (section 3.1.4.4.9)

Windows Server 2008 with [MSFT-CVE-2022-21913]

LsarCreateTrustedDomainEx3 (section 3.1.4.7.17)

Windows Server 2008 with [MSFT-CVE-2022-21913]

<58> Section 3.1.4: Some gaps in the opnum numbering sequence correspond to opnums that are specified in [MS-LSAT]. All other gaps in the opnum numbering sequence apply to Windows as follows.

Opnum

Description

1

Used only locally by Windows, never remotely.

5

Not used by Windows.

9

Not used by Windows.

21

Not used by Windows.

22

Not used by Windows.

52

Not used by Windows.

56

Used only locally by Windows, never remotely.

60

Used only locally by Windows, never remotely.

61

Used only locally by Windows, never remotely.

62

Used only locally by Windows, never remotely.

63

Used only locally by Windows, never remotely.

64

Used only locally by Windows, never remotely.

65

Used only locally by Windows, never remotely.

66

Used only locally by Windows, never remotely.

67

Used only locally by Windows, never remotely.

69

Used only locally by Windows, never remotely.

70

Used only locally by Windows, never remotely.

71

Used only locally by Windows, never remotely.

72

Used only locally by Windows, never remotely.

75

Used only locally by Windows, never remotely.

<59> Section 3.1.4.4.1: The Windows RPC server for this protocol ignores this parameter except for the RootDirectory field. It verifies whether the value is NULL and returns STATUS_INVALID_PARAMETER if it is not.

<60> Section 3.1.4.4.2: The Windows RPC server for this protocol ignores this parameter except for the RootDirectory field. It verifies whether the value is NULL and returns STATUS_INVALID_PARAMETER if it is not.

<61> Section 3.1.4.4.3: Windows XP and later, and Windows Server 2003 and Windows Server 2003 R2 and later return STATUS_INVALID_PARAMETER for this information class.

<62> Section 3.1.4.4.3: In the case of Windows 2000 Professional and later, and Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later, the Windows RPC server always throws an RPC_NT_PROCNUM_OUT_OF_RANGE exception if the server is configured to emulate NT4 for PolicyDnsDomainInformation information level.

<63> Section 3.1.4.4.5: Windows XP and later, and Windows Server 2003 and Windows Server 2003 R2 and later return STATUS_INVALID_PARAMETER for this information class.

<64> Section 3.1.4.4.5: Windows 2000 Professional and later, and Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later behavior: The Windows RPC server always throws an RPC_NT_PROCNUM_OUT_OF_RANGE exception if the server is configured to emulate NT4 for PolicyDnsDomainInformation information level.

<65> Section 3.1.4.4.9:  The Windows RPC server for this protocol ignores this parameter except for the RootDirectory field. It verifies whether the value is NULL and returns STATUS_INVALID_PARAMETER if it is not NULL.

<66> Section 3.1.4.5.1: Windows checks whether the SID is valid, but does not validate the structure of the SID.

<67> Section 3.1.4.5.5: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 ignore invalid LUIDs and return STATUS_SUCCESS instead of STATUS_INVALID_PARAMETER.

<68> Section 3.1.4.5.6: Windows Vista and later do not allow removal of "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", and "SeCreateGlobalPrivilege" from accounts represented with SIDs "S-1-5-19" and "S-1-5-20". Such requests are rejected with STATUS_NOT_SUPPORTED.

<69> Section 3.1.4.5.9: Furthermore, Windows checks that the caller is a member of Builtin Administrators.

<70> Section 3.1.4.5.12: Windows Vista and later and Windows Server 2008 and later do not allow removal of "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", and "SeCreateGlobalPrivilege" from accounts represented with SIDs "S-1-5-19" and "S-1-5-20". Such requests are rejected with STATUS_NOT_SUPPORTED.

<71> Section 3.1.4.6: Windows 2000 Server, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008 support these methods. Windows 7 and later and Windows Server 2008 R2 and later support these methods by default, but can be configured not to support them.

<72> Section 3.1.4.6.1: Windows NT 4.0 and Windows 2000 Professional and later, and Windows NT 4.0, Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later limit the secret name length to 128 characters. Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 return STATUS_NAME_TOO_LONG for lengths that are greater than 128 characters. Windows Vista and later and Windows Server 2008 and later return STATUS_INVALID_PARAMETER for lengths that are greater than 128 characters.

<73> Section 3.1.4.6.1: Windows 2000 Professional and later, and Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later do not allow a secret whose name is prefixed by "G$$" to be created, and return STATUS_INVALID_PARAMETER to indicate this constraint failure to the caller.

<74> Section 3.1.4.6.1: Windows Server 2003 and Windows Server 2003 R2 and later, and Windows Vista and later do not allow the secret name to be "G$$", "G$", "L$", "M$", "_sc_", "NL$", "RasDialParams" or "RasCredentials". They return STATUS_INVALID_PARAMETER to indicate this constraint failure to the caller.

<75> Section 3.1.4.6.1: Global secrets (those that are prefixed with "G$") cannot be created on domain controllers on which the directory service is stopped. A request to create a global secret on a domain controller on which the directory service is stopped fails with status code STATUS_DIRECTORY_SERVICE_REQUIRED.

<76> Section 3.1.4.6.2: Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later have a special case for secret name search for downlevel compatibility with Windows NT 3.1, Windows NT 3.5, and Windows NT 3.51. If the secret name is in the form "G$$<NAME>", where "<NAME>" matches the name of a trusted domain, the response is STATUS_SUCCESS. In this case, secret information is Authentication Information of type TRUST_AUTH_TYPE_CLEAR ([MS-ADTS] section 6.1.6.9.1.1, the AuthType field) from the trusted domain object.

<77> Section 3.1.4.6.3: Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later have a special case for secret set operation for downlevel compatibility with Windows NT 3.1, Windows NT 3.5, and Windows NT 3.51. If the secret name is in the form "G$$<NAME>", where "<NAME>" matches the name of a trusted domain, the result is that the set request writes the secret value into the authentication information section of the trusted domain object. The access check in this case is identical to that required for setting authentication information on a trusted domain object, rather than that pertaining to changing a secret value.

<78> Section 3.1.4.6.3: If decryption of EncryptedCurrentValue fails, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista return STATUS_UNKNOWN_REVISION (0xC0000058); Windows Server 2008 and later and Windows 7 and later return STATUS_INVALID_PARAMETER_1 (0xC00000EF).

<79> Section 3.1.4.6.3: If decryption of EncryptedOldValue fails, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista return STATUS_UNKNOWN_REVISION (0xC0000058); Windows Server 2008 and later and Windows 7 and later return STATUS_INVALID_PARAMETER_1 (0xC00000EF).

<80> Section 3.1.4.6.4: Windows rejects the secret query requests of type "system" by returning STATUS_ACCESS_DENIED. Windows also rejects the secret query requests of type "local" from network clients with STATUS_ACCESS_DENIED.

<81> Section 3.1.4.6.4: If Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2 process a global secret with a value that has its Length field set to 0, they fill in the EncryptedCurrentValue with the following values before encryption.

 Length = 0
 MaximumLength = 0

Windows Server 2008 and later set the value of EncryptedCurrentValue to NULL.

<82> Section 3.1.4.6.4: If Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2 process a global secret with a value that has its Length field set to 0, they fill in the EncryptedOldValue with the following values before encryption.

 Length = 0
 MaximumLength = 0

Windows Server 2008 and later set the value of EncryptedOldValue to NULL.

<83> Section 3.1.4.6.5: If decryption of EncryptedData fails, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista return STATUS_UNKNOWN_REVISION (0xC0000058); Windows Server 2008 and later and Windows 7 and later return STATUS_INVALID_PARAMETER_1 (0xC00000EF).

<84> Section 3.1.4.6.7:  Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].

<85> Section 3.1.4.6.8:  Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].

<86> Section 3.1.4.6.9:  Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].

<87> Section 3.1.4.6.10:  Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].

<88> Section 3.1.4.6.11:  Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].

<89> Section 3.1.4.6.12:  Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].

<90> Section 3.1.4.7: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 use trusted domain objects on non–domain controllers to join a machine to a domain. Therefore, trusted domain object methods are allowed on these products even when the machine is not a domain controller. There is, however, one extra check in this case, which is that the trusted domain object's security identifier has to be the same as the security identifier in Primary Domain Information. This also artificially limits the number of trusted domain objects on such systems to one.

<91> Section 3.1.4.7.1: Windows Server 2003 and Windows Server 2003 R2 and later disallow callers that do not have the AuthenticatedUsers SID in their token from accessing trusted domain objects. Requests by such users are rejected with STATUS_ACCESS_DENIED.

<92> Section 3.1.4.7.1: On Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later, Active Directory has to be running on the server in order for this request to succeed. Failing that, the STATUS_DIRECTORY_SERVICE_REQUIRED status code is returned.

<93> Section 3.1.4.7.3: Read-only domain controllers are supported on servers running Windows Server 2008 and later. They return the STATUS_OBJECT_NAME_NOT_FOUND error.

<94> Section 3.1.4.7.3: Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 support these InformationClass values.

<95> Section 3.1.4.7.4: Read-only domain controllers are supported on servers running Windows Server 2008 and later. They return the STATUS_OBJECT_NAME_NOT_FOUND error.

<96> Section 3.1.4.7.10: Windows Server 2003 for Small Business Server 2003 does not support this message. Attempts to create a TDO in this environment causes the server to return STATUS_NOT_SUPPORTED_ON_SBS.

<97> Section 3.1.4.7.10: The operation is not supported on Windows Server 2003 for Small Business Server 2003.

<98> Section 3.1.4.7.10: Servers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 return the STATUS_INVALID_DOMAIN_STATE error when the TRUST_ATTRIBUTE_FOREST_TRANSITIVE or the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit is set in the TrustAttributes field of the TrustedDomainInformation input parameter.

<99> Section 3.1.4.7.10: Read-only domain controllers are supported on servers running Windows Server 2008 and later. They return the STATUS_OBJECT_NAME_NOT_FOUND error.

<100> Section 3.1.4.7.11: The operation is not supported on Windows Server 2003 for Small Business Server 2003.

<101> Section 3.1.4.7.12: The operation is not supported on Windows Server 2003 for Small Business Server 2003.

<102> Section 3.1.4.7.13: When not at DS_BEHAVIOR_WIN2003 forest functional level, Windows Server 2003 and Windows Server 2003 R2 and later hide the presence of the TRUST_ATTRIBUTE_FOREST_TRANSITIVE bit in the Trust Attributes field of a trusted domain object.

<103> Section 3.1.4.7.14: Servers running Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 return the STATUS_INVALID_INFO_CLASS error when the information class is TrustedDomainInformationBasic.

<104> Section 3.1.4.7.14: Servers running Windows Server 2008 and later return the STATUS_OBJECT_NAME_NOT_FOUND error.

<105> Section 3.1.4.7.17:  Windows Server 2003 for Windows Small Business Server 2003 (Windows SBS) server software does not support this message. Attempts to create a TDO in this environment causes the server to return STATUS_NOT_SUPPORTED_ON_SBS (0xC0000300), as specified in Return Values of section 3.1.4.7.12.

<106> Section 3.1.4.7.18:  Retrieving information about a trust relationship with another forest is supported by the operating systems specified in [MSFT-CVE-2022-21857], each with its related KB article download installed.

<107> Section 3.1.4.7.19:  The manipulation of forest trust information is supported by the operating systems specified in [MSFT-CVE-2022-21857], each with its related KB article download installed.

<108> Section 3.1.4.9.1: The server will not return the security descriptor of objects that it stores in Active Directory. It will return the security descriptor of objects in its local policy only. The objects stored in Active Directory include Global Secrets and trusted domain objects in Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later. For objects that fall into this category, the server will return the STATUS_NOT_SUPPORTED status code.

<109> Section 3.1.4.9.2: The server will not return the security descriptor of objects that it stores in Active Directory. It will return the security descriptor of objects in its local policy only. The objects stored in Active Directory include Global Secrets and trusted domain objects. For objects that fall into this category, the server returns the STATUS_NOT_SUPPORTED status code.

<110> Section 3.1.4.10: On Windows Server 2008 and later, when processing the LsarOpenSecret (section 3.1.4.6.2) and LsarCreateSecret (section 3.1.4.6.1) methods, the length of the string is allowed to not be a multiple of 2. If Length is not a multiple of 2, the length of the Unicode string will be assumed to be Length – 1.

<111> Section 3.1.4.10: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 do not perform this check. On Windows Server 2008 and later, when processing the LsarOpenSecret and LSarCreateSecret methods, the Buffer field is allowed to contain zero or many NULL Unicode characters at the end of the string.

<112> Section 3.1.4.10: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 implementations of this protocol do not validate the Luid.HighPart field.

<113> Section 3.1.4.10: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 implementations of this protocol do not validate the Luid.LowPart field.

<114> Section 3.1.4.10: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 implementations of this protocol do not validate the Attributes field.

<115> Section 5.1.5:  The AES cipher AEAD-AES-256-CBC-HMAC-SHA512 and supporting methods, structures, and processing details that enable AES wire encryption protections of sensitive data with this protocol are supported on the operating systems specified in [MSFT-CVE-2022-21913], each with its related KB article download installed.