3.1.5.13.9 SamrAccountIsDelegatedManagedServiceAccount (Opnum 77)

  • Article

The SamrAccountIsDelegatedManagedServiceAccount method will verify whether a specified account is a Delegated Managed Service Account and whether the calling context is authorized to use the account.<78>

    NTSTATUS
    SamrAccountIsDelegatedManagedServiceAccount(
        [in]  SAMPR_HANDLE ServerHandle,
        [in]  PRPC_UNICODE_STRING AccountName, 
        [out] BOOLEAN*  Result,
        [out] BOOLEAN*  Authorized
        );

ServerHandle: An RPC context handle, as specified in section 2.2.7.2, representing a server object.

AccountName: A UTF-16 encoded string that represents the name of the account.

Result: The result of whether the account is a delegated managed service account.

Authorized: The result of whether the calling context has membership in the delegated managed service account.

Upon receiving this message, the server MUST process the message data subject to the following constraints:

The output parameter Result MUST be set to FALSE when any of the following conditions are met:

  1. The server MUST return STATUS_NOT_SUPPORTED if it is not a domain controller (DC) (2) or if the directory service is not running.

  2. The server MUST return an error if the object with the given AccountName does not exist in the database.

  3. The objectClass attribute of the specified account does not contain msds-delegatedManagedServiceAccount. The server must return STATUS_SUCCESS.

The output parameter Result MUST be set to TRUE when the objectClass attribute of the specified account contains the msds-delegatedManagedServiceAccount. class and the server MUST return STATUS_SUCCESS.

The output parameter Authorized MUST be set to FALSE when any of the following conditions are met:

  1. The Result output parameter is FALSE.

  2. The msds-groupMSAMembership attribute does not exist. The server must return STATUS_SUCCESS.

  3. The msds-groupMSAMembership attribute contains an invalid security descriptor. The server must return STATUS_INVALID_SECURITY_DESCR.

  4. The server is unable to impersonate the RPC client. The server must return an error.

  5. The access check fails for any reason. The server must return an error.

  6. The calling RPC client does not have ACTRL_DS_READ_PROP access granted in the security descriptor stored in msds-groupMSAMembership attribute. The server must return STATUS_SUCCESS.

The output parameter Authorized MUST be set to TRUE when none of the above conditions are met and the client has been granted access of ACTRL_DS_READ_PROP in the security descriptor stored in msds-groupMSAMembership attribute of the delegated managed service account.