3.1.5.12.2.1 SamrQuerySecurityObject (DC Configuration)

Let Self denote the objectSid attribute value, if any, of the object referenced by ObjectHandle.Object.

Upon receiving this message, the server MUST process the data from the message subject to all of the following constraints:

1. ObjectHandle.GrantedAccess MUST have the required access specified in the following table, based on the bits contained in the SecurityInformation parameter. On error, the server MUST abort processing and return STATUS_ACCESS_DENIED.

   Security information bits	Required access
   SACL_SECURITY_INFORMATION	ACCESS_SYSTEM_SECURITY
   OWNER_SECURITY_INFORMATION	READ_CONTROL
   GROUP_SECURITY_INFORMATION	READ_CONTROL
   DACL_SECURITY_INFORMATION	READ_CONTROL

2. The server MUST return, via the SecurityDescriptor parameter, a security descriptor that only contains fields based on the bits contained in the SecurityInformation parameter (the fields of the security descriptor that are not returned are set to zero) and that satisfies all of the following constraints:

   1. The Owner and Group fields of the security descriptor MUST be the administrator's SID (S-1-5-32-544).

   2. The DACL MUST contain the following specified ACEs:

      If ObjectHandle.Object refers to the server object, the DACL MUST contain the following ACEs.

      SID	Access mask
      WorldSid	SAM_SERVER_EXECUTE | SAM_SERVER_READ
      AdministratorSid	SAM_SERVER_ALL_ACCESS

      Else, if ObjectHandle.Object refers to a domain object, the DACL MUST contain the following ACEs.

      SID	Access mask
      WorldSid	DOMAIN_EXECUTE | DOMAIN_READ
      AdministratorSid	DOMAIN_ALL_ACCESS
      AccountOperatorsSid	DOMAIN_EXECUTE | DOMAIN_READ | DOMAIN_CREATE_USER | DOMAIN_CREATE_GROUP | DOMAIN_CREATE_ALIAS

      Else, if ObjectHandle.Object refers to a group or alias object that is the Domain Admins group (Domain Admins) or Administrators alias, or a member of Domain Admins or Administrators, the DACL MUST contain the following ACEs.

      SID	Access mask
      WorldSid	GROUP_EXECUTE | GROUP_READ
      AdministratorSid	GROUP_ALL_ACCESS

      Else, if ObjectHandle.Object refers to any group object that does not satisfy the previous condition, the DACL MUST contain the following ACEs.

      SID	Access mask
      WorldSid	GROUP_EXECUTE | GROUP_READ
      AdministratorSid	GROUP_ALL_ACCESS
      AccountOperatorsSid	GROUP_ALL_ACCESS

      Else, if ObjectHandle.Object refers to any alias object that does not satisfy the previous condition, the DACL MUST contain the following ACEs.

      SID	Access mask
      WorldSid	ALIAS_EXECUTE | ALIAS_READ
      AdministratorSid	ALIAS_ALL_ACCESS
      AccountOperatorsSid	ALIAS_ALL_ACCESS

      Else, if ObjectHandle.Object refers to a user object that is a member of Domain Admins or Administrators, the DACL MUST contain the following ACEs.

      SID	Access mask
      WorldSid	USER_EXECUTE | USER_READ
      AdministratorSid	USER_ALL_ACCESS
      The SID of the user referenced by ObjectHandle.Object	USER_WRITE

      Else, if ObjectHandle.Object refers to a user object whose ntSecurityDescriptor does not grant Self or World the User-Change-Password control access right ([MS-ADTS] section 5.1.3.2.1), the DACL MUST contain the following ACEs.

      SID	Access mask
      WorldSid	USER_EXECUTE | USER_READ | ~USER_CHANGE_PASSWORD
      AdministratorSid	USER_ALL_ACCESS
      AccountOperatorsSid	USER_ALL_ACCESS
      The SID of the user referenced by ObjectHandle.Object	USER_WRITE | ~USER_CHANGE_PASSWORD

      Otherwise, the DACL MUST contain the following ACEs.

      SID	Access mask
      WorldSid	USER_EXECUTE | USER_READ
      AdministratorSid	USER_ALL_ACCESS
      AccountOperatorsSid	USER_ALL_ACCESS
      The SID of the user referenced by ObjectHandle.Object	USER_WRITE