3.1.5.12.2.2 SamrQuerySecurityObject (Non-DC Configuration)
Upon receiving this message, the server MUST process the data from the message subject to the following constraints:
ObjectHandle.GrantedAccess MUST have the required access specified in the following table, based on the bits contained in the SecurityInformation parameter. On error, the server MUST abort processing and return STATUS_ACCESS_DENIED.
Security information bits
Required access
SACL_SECURITY_INFORMATION
ACCESS_SYSTEM_SECURITY
OWNER_SECURITY_INFORMATION
READ_CONTROL
GROUP_SECURITY_INFORMATION
READ_CONTROL
DACL_SECURITY_INFORMATION
READ_CONTROL
The server MUST return, via the SecurityDescriptor parameter, a security descriptor that only contains fields based on the bits contained in the SecurityInformation parameter; the fields of the security descriptor that are not returned are set to zero. The security descriptor expresses the owner and group of the referenced object and an access control (SACL and DACL) that has been specified either by default settings or by previous calls to SamrSetSecurityObject. The security descriptor MUST be in terms of simple ACEs and ACCESS_MASK values as specified in the following table, based on the object type that ObjectHandle.HandleType references.
Object type
ACCESS_MASK section
Server
Domain
Group
Alias
User