3.1.1.4 Secret Object Data Model

Inside the Local Security Authority (Domain Policy) Remote Protocol database, a secret object is represented by the following pieces of data.

Name

Type

Attribute name

Name

RPC_UNICODE_STRING

ldapDisplayName ([MS-ADA1] section 2.356)

Security Descriptor

LSAPR_SR_SECURITY_DESCRIPTOR

securityIdentifier ([MS-ADA3] section 2.237)

Old Set Time

LARGE_INTEGER

priorSetTime ([MS-ADA3] section 2.159)

Old Value

binary data

priorValue ([MS-ADA3] section 2.160)

New Set Time

LARGE_INTEGER

lastSetTime ([MS-ADA1] section 2.353)

New Value

binary data

currentValue ([MS-ADA1] section 2.139)

The Name field uniquely identifies the secret by using a Unicode string. Two different secrets MUST have different names (the comparison is case-sensitive). The Name field MUST be read-only. To be considered valid, the length of the name in bytes MUST be even; it MUST be greater than 0 and less than 0x101. The secret name MUST NOT contain the "\" character. Special values of the Name field indicate secret types. The different secret types are as follows:

  • Global

  • Local

  • Trusted Domain

  • System

The following rules govern secret type assignments.

The term "starts with" literally means "must have a nonzero number of characters following the prefix". Names consisting of only a reserved prefix are invalid.

The following table indicates the secret name pattern and the associated secret type.

Secret name or name pattern

Type of secret

Starts with "G$$"

Trusted domain

Starts with "G$"

Global

Starts with "L$"

Local

Starts with "M$"

System

Starts with "_sc_"

System

Starts with "NL$"

System

Starts with "RasDialParams"

Local

Starts with "RasCredentials"

Local

Equal to "$MACHINE.ACC"

System

Equal to "SAC"

Local

Equal to "SAI"

Local

Equal to "SANSC"

Local

The type of a secret defines the access and availability boundary for a given secret object.

System Secret: Cannot be accessed by any clients.

Local Secret: Can be accessed only by a client that is on the same machine as the server.

Global Secret: Replicates between domain controllers in the same domain, allowing each domain controller to be able to respond to secret requests of this type.

Trusted Domain Secret: Used with trusted domain objects to store trust passwords. Trusted domain secrets also replicate between domain controllers in the same domain.<52>

The security descriptor field controls access to the secret object. Every secret object in the Local Security Authority (Domain Policy) Remote Protocol database that has Local Secret type MUST have a valid security descriptor. The security descriptor of Local Secret objects can be queried by calling the LsarQuerySecurityObject (section 3.1.4.9.1) method and changed by calling the LsarSetSecurityObject (section 3.1.4.9.2) method. The server MUST assign a default security descriptor to every newly created secret object, even if the client did not specify a default value.<53>

The value of a secret is a byte BLOB. Depending on the caller's choices, the server stores 0, 1, or 2 values for the secret, the 2 values being "current" and "previous" and 1 value being either "current" or "previous". Both versions of the secret's value are accompanied by a 64-bit time stamp in Coordinated Universal Time (UTC), sometimes referred to as Greenwich Mean Time, in units of 100 nanoseconds since January 1, 1601.