3.1.5.12.1.2 SamrSetSecurityObject (Non-DC Configuration)
Upon receiving this message, the server MUST process the data from the message subject to all the following constraints:
The access control specified in SecurityDescriptor MUST be a valid security descriptor containing simple ACEs; otherwise the server MUST return an error status. [MS-DTYP] section 2.4.6 contains the specification for a valid security descriptor.
ObjectHandle.GrantedAccess MUST have the required access specified in the following table, based on the set bits in the SecurityInformation parameter. The server MUST ignore set bits in SecurityInformation that are not specified in the table. On error, the server MUST abort processing and return STATUS_ACCESS_DENIED.
Security information bits
Required access
SACL_SECURITY_INFORMATION
ACCESS_SYSTEM_SECURITY
OWNER_SECURITY_INFORMATION
WRITE_OWNER
GROUP_SECURITY_INFORMATION
WRITE_OWNER
DACL_SECURITY_INFORMATION
WRITE_DAC
The server MUST update the ntSecurityDescriptor attribute value on the object referenced by ObjectHandle.Object such that all of the following constraints are satisfied:
All accesses granted and denied in the input security descriptor (SecurityDescriptor) are granted and denied during subsequent method calls across this interface (for all time).
If the target object is a domain object, all ACEs containing DOMAIN_CREATE_USER, DOMAIN_CREATE_ALIAS, or DOMAIN_CREATE_GROUP MUST grant or deny (depending on the type of ACE) the trustee of the ACE the ability to create a user, alias, or group as specified in SamrCreateUser2InDomain (section 3.1.5.4.4), SamrCreateAliasInDomain (section 3.1.5.4.3), or SamrCreateGroupInDomain (section 3.1.5.4.2).
If the target object is a user object, all ACEs containing the specified access mask in the following table MUST grant or deny (depending on the type of ACE) the trustee to update associated attributes.
Access mask
Attribute
USER_WRITE_ACCOUNT
sAMAccountName
displayName
primaryGroupId
homeDirectory
homeDrive
scriptPath
profilePath
Description
userWorkstations
logonHours
accountExpires
userAccountControl
userParameters
USER_WRITE_PREFERENCE
comment
countryCode
codePage
USER_FORCE_PASSWORD_CHANGE
clearTextPassword
pwdLastSet
dBCSPwd
unicodePwd