3.1.5.12.2.2 SamrQuerySecurityObject (Non-DC Configuration)

Upon receiving this message, the server MUST process the data from the message subject to the following constraints:

  1. ObjectHandle.GrantedAccess MUST have the required access specified in the following table, based on the bits contained in the SecurityInformation parameter. On error, the server MUST abort processing and return STATUS_ACCESS_DENIED.

    Security information bits

    Required access

    SACL_SECURITY_INFORMATION

    ACCESS_SYSTEM_SECURITY

    OWNER_SECURITY_INFORMATION

    READ_CONTROL

    GROUP_SECURITY_INFORMATION

    READ_CONTROL

    DACL_SECURITY_INFORMATION

    READ_CONTROL

  2. The server MUST return, via the SecurityDescriptor parameter, a security descriptor that only contains fields based on the bits contained in the SecurityInformation parameter; the fields of the security descriptor that are not returned are set to zero. The security descriptor expresses the owner and group of the referenced object and an access control (SACL and DACL) that has been specified either by default settings or by previous calls to SamrSetSecurityObject. The security descriptor MUST be in terms of simple ACEs and ACCESS_MASK values as specified in the following table, based on the object type that ObjectHandle.HandleType references.

    Object type

    ACCESS_MASK section

    Server

    2.2.1.1

    Domain

    2.2.1.4

    Group

    2.2.1.5

    Alias

    2.2.1.6

    User

    2.2.1.7