4 samr interface definition
6 import "misc.idl", "lsa.idl", "security.idl";
9 Thanks to Todd Sabin for some information from his samr.idl in acltools
12 [ uuid("12345778-1234-abcd-ef00-0123456789ac"),
14 endpoint("ncacn_np:[\\pipe\\samr]","ncacn_ip_tcp:", "ncalrpc:"),
15 pointer_default(unique),
16 pointer_default_top(unique)
19 typedef bitmap security_secinfo security_secinfo;
21 /* account control (acct_flags) bits */
22 typedef [public,bitmap32bit] bitmap {
23 ACB_DISABLED = 0x00000001, /* 1 = User account disabled */
24 ACB_HOMDIRREQ = 0x00000002, /* 1 = Home directory required */
25 ACB_PWNOTREQ = 0x00000004, /* 1 = User password not required */
26 ACB_TEMPDUP = 0x00000008, /* 1 = Temporary duplicate account */
27 ACB_NORMAL = 0x00000010, /* 1 = Normal user account */
28 ACB_MNS = 0x00000020, /* 1 = MNS logon user account */
29 ACB_DOMTRUST = 0x00000040, /* 1 = Interdomain trust account */
30 ACB_WSTRUST = 0x00000080, /* 1 = Workstation trust account */
31 ACB_SVRTRUST = 0x00000100, /* 1 = Server trust account */
32 ACB_PWNOEXP = 0x00000200, /* 1 = User password does not expire */
33 ACB_AUTOLOCK = 0x00000400, /* 1 = Account auto locked */
34 ACB_ENC_TXT_PWD_ALLOWED = 0x00000800, /* 1 = Encryped text password is allowed */
35 ACB_SMARTCARD_REQUIRED = 0x00001000, /* 1 = Smart Card required */
36 ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */
37 ACB_NOT_DELEGATED = 0x00004000, /* 1 = Not delegated */
38 ACB_USE_DES_KEY_ONLY = 0x00008000, /* 1 = Use DES key only */
39 ACB_DONT_REQUIRE_PREAUTH = 0x00010000, /* 1 = Preauth not required */
40 ACB_PW_EXPIRED = 0x00020000, /* 1 = Password Expired */
41 ACB_NO_AUTH_DATA_REQD = 0x00080000 /* 1 = No authorization data required */
44 typedef [bitmap32bit] bitmap {
45 SAMR_ACCESS_CONNECT_TO_SERVER = 0x00000001,
46 SAMR_ACCESS_SHUTDOWN_SERVER = 0x00000002,
47 SAMR_ACCESS_INITIALIZE_SERVER = 0x00000004,
48 SAMR_ACCESS_CREATE_DOMAIN = 0x00000008,
49 SAMR_ACCESS_ENUM_DOMAINS = 0x00000010,
50 SAMR_ACCESS_OPEN_DOMAIN = 0x00000020
51 } samr_ConnectAccessMask;
53 typedef [bitmap32bit] bitmap {
54 USER_ACCESS_GET_NAME_ETC = 0x00000001,
55 USER_ACCESS_GET_LOCALE = 0x00000002,
56 USER_ACCESS_SET_LOC_COM = 0x00000004,
57 USER_ACCESS_GET_LOGONINFO = 0x00000008,
58 USER_ACCESS_GET_ATTRIBUTES = 0x00000010,
59 USER_ACCESS_SET_ATTRIBUTES = 0x00000020,
60 USER_ACCESS_CHANGE_PASSWORD = 0x00000040,
61 USER_ACCESS_SET_PASSWORD = 0x00000080,
62 USER_ACCESS_GET_GROUPS = 0x00000100,
63 USER_ACCESS_GET_GROUP_MEMBERSHIP = 0x00000200,
64 USER_ACCESS_CHANGE_GROUP_MEMBERSHIP = 0x00000400
65 } samr_UserAccessMask;
67 typedef [bitmap32bit] bitmap {
68 DOMAIN_ACCESS_LOOKUP_INFO_1 = 0x00000001,
69 DOMAIN_ACCESS_SET_INFO_1 = 0x00000002,
70 DOMAIN_ACCESS_LOOKUP_INFO_2 = 0x00000004,
71 DOMAIN_ACCESS_SET_INFO_2 = 0x00000008,
72 DOMAIN_ACCESS_CREATE_USER = 0x00000010,
73 DOMAIN_ACCESS_CREATE_GROUP = 0x00000020,
74 DOMAIN_ACCESS_CREATE_ALIAS = 0x00000040,
75 DOMAIN_ACCESS_LOOKUP_ALIAS = 0x00000080,
76 DOMAIN_ACCESS_ENUM_ACCOUNTS = 0x00000100,
77 DOMAIN_ACCESS_OPEN_ACCOUNT = 0x00000200,
78 DOMAIN_ACCESS_SET_INFO_3 = 0x00000400
79 } samr_DomainAccessMask;
81 typedef [bitmap32bit] bitmap {
82 GROUP_ACCESS_LOOKUP_INFO = 0x00000001,
83 GROUP_ACCESS_SET_INFO = 0x00000002,
84 GROUP_ACCESS_ADD_MEMBER = 0x00000004,
85 GROUP_ACCESS_REMOVE_MEMBER = 0x00000008,
86 GROUP_ACCESS_GET_MEMBERS = 0x00000010
87 } samr_GroupAccessMask;
89 typedef [bitmap32bit] bitmap {
90 ALIAS_ACCESS_ADD_MEMBER = 0x00000001,
91 ALIAS_ACCESS_REMOVE_MEMBER = 0x00000002,
92 ALIAS_ACCESS_GET_MEMBERS = 0x00000004,
93 ALIAS_ACCESS_LOOKUP_INFO = 0x00000008,
94 ALIAS_ACCESS_SET_INFO = 0x00000010
95 } samr_AliasAccessMask;
99 NTSTATUS samr_Connect (
100 /* notice the lack of [string] */
101 [in] uint16 *system_name,
102 [in] samr_ConnectAccessMask access_mask,
103 [out,ref] policy_handle *connect_handle
109 [public] NTSTATUS samr_Close (
110 [in,out,ref] policy_handle *handle
116 NTSTATUS samr_SetSecurity (
117 [in,ref] policy_handle *handle,
118 [in] security_secinfo sec_info,
119 [in,ref] sec_desc_buf *sdbuf
125 NTSTATUS samr_QuerySecurity (
126 [in,ref] policy_handle *handle,
127 [in] security_secinfo sec_info,
128 [out,ref] sec_desc_buf *sdbuf
135 shutdown the SAM - once you call this the SAM will be dead
137 NTSTATUS samr_Shutdown (
138 [in,ref] policy_handle *connect_handle
143 NTSTATUS samr_LookupDomain (
144 [in,ref] policy_handle *connect_handle,
145 [in,ref] lsa_String *domain_name,
146 [out,ref] dom_sid2 *sid
160 [size_is(count)] samr_SamEntry *entries;
163 NTSTATUS samr_EnumDomains (
164 [in,ref] policy_handle *connect_handle,
165 [in,out,ref] uint32 *resume_handle,
166 [in] uint32 buf_size,
167 [out,ref] samr_SamArray *sam,
168 [out,ref] uint32 *num_entries
172 /************************/
174 [public] NTSTATUS samr_OpenDomain(
175 [in,ref] policy_handle *connect_handle,
176 [in] samr_DomainAccessMask access_mask,
177 [in,ref] dom_sid2 *sid,
178 [out,ref] policy_handle *domain_handle
181 /************************/
184 typedef [v1_enum] enum {
185 SAMR_ROLE_STANDALONE = 0,
186 SAMR_ROLE_DOMAIN_MEMBER = 1,
187 SAMR_ROLE_DOMAIN_BDC = 2,
188 SAMR_ROLE_DOMAIN_PDC = 3
191 /* password properties flags */
192 typedef [public,bitmap32bit] bitmap {
193 DOMAIN_PASSWORD_COMPLEX = 0x00000001,
194 DOMAIN_PASSWORD_NO_ANON_CHANGE = 0x00000002,
195 DOMAIN_PASSWORD_NO_CLEAR_CHANGE = 0x00000004,
196 DOMAIN_PASSWORD_LOCKOUT_ADMINS = 0x00000008,
197 DOMAIN_PASSWORD_STORE_CLEARTEXT = 0x00000010,
198 DOMAIN_REFUSE_PASSWORD_CHANGE = 0x00000020
199 } samr_PasswordProperties;
202 uint16 min_password_length;
203 uint16 password_history_length;
204 samr_PasswordProperties password_properties;
205 /* yes, these are signed. They are in negative 100ns */
206 dlong max_password_age;
207 dlong min_password_age;
211 NTTIME force_logoff_time;
213 lsa_String domain_name;
214 lsa_String primary; /* PDC name if this is a BDC */
225 NTTIME force_logoff_time;
233 lsa_String domain_name;
246 NTTIME domain_create_time;
250 uint32 unknown; /* w2k3 returns 1 */
255 hyper lockout_duration;
256 hyper lockout_window;
257 uint16 lockout_threshold;
261 hyper lockout_duration;
262 hyper lockout_window;
263 uint16 lockout_threshold;
268 NTTIME domain_create_time;
273 typedef [switch_type(uint16)] union {
274 [case(1)] samr_DomInfo1 info1;
275 [case(2)] samr_DomInfo2 info2;
276 [case(3)] samr_DomInfo3 info3;
277 [case(4)] samr_DomInfo4 info4;
278 [case(5)] samr_DomInfo5 info5;
279 [case(6)] samr_DomInfo6 info6;
280 [case(7)] samr_DomInfo7 info7;
281 [case(8)] samr_DomInfo8 info8;
282 [case(9)] samr_DomInfo9 info9;
283 [case(11)] samr_DomInfo11 info11;
284 [case(12)] samr_DomInfo12 info12;
285 [case(13)] samr_DomInfo13 info13;
288 NTSTATUS samr_QueryDomainInfo(
289 [in,ref] policy_handle *domain_handle,
291 [out,ref,switch_is(level)] samr_DomainInfo *info
294 /************************/
297 only levels 1, 3, 4, 6, 7, 9, 12 are valid for this
300 NTSTATUS samr_SetDomainInfo(
301 [in,ref] policy_handle *domain_handle,
303 [in,switch_is(level),ref] samr_DomainInfo *info
307 /************************/
309 NTSTATUS samr_CreateDomainGroup(
310 [in,ref] policy_handle *domain_handle,
311 [in,ref] lsa_String *name,
312 [in] samr_GroupAccessMask access_mask,
313 [out,ref] policy_handle *group_handle,
314 [out,ref] uint32 *rid
318 /************************/
320 NTSTATUS samr_EnumDomainGroups(
321 [in,ref] policy_handle *domain_handle,
322 [in,out,ref] uint32 *resume_handle,
323 [in] uint32 max_size,
324 [out,ref] samr_SamArray *sam,
325 [out,ref] uint32 *num_entries
328 /************************/
330 NTSTATUS samr_CreateUser(
331 [in,ref] policy_handle *domain_handle,
332 [in,ref] lsa_String *account_name,
333 [in] samr_UserAccessMask access_mask,
334 [out,ref] policy_handle *user_handle,
335 [out,ref] uint32 *rid
338 /************************/
342 /* w2k3 treats max_size as max_users*54 and sets the
343 resume_handle as the rid of the last user sent
345 const int SAMR_ENUM_USERS_MULTIPLIER = 54;
347 NTSTATUS samr_EnumDomainUsers(
348 [in,ref] policy_handle *domain_handle,
349 [in,out,ref] uint32 *resume_handle,
350 [in] samr_AcctFlags acct_flags,
351 [in] uint32 max_size,
352 [out,ref] samr_SamArray *sam,
353 [out,ref] uint32 *num_entries
356 /************************/
358 NTSTATUS samr_CreateDomAlias(
359 [in,ref] policy_handle *domain_handle,
360 [in,ref] lsa_String *alias_name,
361 [in] samr_AliasAccessMask access_mask,
362 [out,ref] policy_handle *alias_handle,
363 [out,ref] uint32 *rid
366 /************************/
368 NTSTATUS samr_EnumDomainAliases(
369 [in,ref] policy_handle *domain_handle,
370 [in,out,ref] uint32 *resume_handle,
371 [in] samr_AcctFlags acct_flags,
372 [out,ref] samr_SamArray *sam,
373 [out,ref] uint32 *num_entries
376 /************************/
380 [range(0,1024)] uint32 count;
381 [size_is(count)] uint32 *ids;
384 NTSTATUS samr_GetAliasMembership(
385 [in,ref] policy_handle *domain_handle,
386 [in,ref] lsa_SidArray *sids,
387 [out,ref] samr_Ids *rids
390 /************************/
393 [public] NTSTATUS samr_LookupNames(
394 [in,ref] policy_handle *domain_handle,
395 [in,range(0,1000)] uint32 num_names,
396 [in,size_is(1000),length_is(num_names)] lsa_String names[],
397 [out,ref] samr_Ids *rids,
398 [out,ref] samr_Ids *types
402 /************************/
404 NTSTATUS samr_LookupRids(
405 [in,ref] policy_handle *domain_handle,
406 [in,range(0,1000)] uint32 num_rids,
407 [in,size_is(1000),length_is(num_rids)] uint32 rids[],
408 [out,ref] lsa_Strings *names,
409 [out,ref] samr_Ids *types
412 /************************/
414 NTSTATUS samr_OpenGroup(
415 [in,ref] policy_handle *domain_handle,
416 [in] samr_GroupAccessMask access_mask,
418 [out,ref] policy_handle *group_handle
421 /* Group attributes */
422 typedef [public,bitmap32bit] bitmap {
423 SE_GROUP_MANDATORY = 0x00000001,
424 SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
425 SE_GROUP_ENABLED = 0x00000004,
426 SE_GROUP_OWNER = 0x00000008,
427 SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,
428 SE_GROUP_RESOURCE = 0x20000000,
429 SE_GROUP_LOGON_ID = 0xC0000000
432 /************************/
437 samr_GroupAttrs attributes;
439 lsa_String description;
443 samr_GroupAttrs attributes;
444 } samr_GroupInfoAttributes;
447 lsa_String description;
448 } samr_GroupInfoDescription;
453 GROUPINFOATTRIBUTES = 3,
454 GROUPINFODESCRIPTION = 4,
456 } samr_GroupInfoEnum;
458 typedef [switch_type(samr_GroupInfoEnum)] union {
459 [case(GROUPINFOALL)] samr_GroupInfoAll all;
460 [case(GROUPINFONAME)] lsa_String name;
461 [case(GROUPINFOATTRIBUTES)] samr_GroupInfoAttributes attributes;
462 [case(GROUPINFODESCRIPTION)] lsa_String description;
463 [case(GROUPINFOALL2)] samr_GroupInfoAll all2;
466 NTSTATUS samr_QueryGroupInfo(
467 [in,ref] policy_handle *group_handle,
468 [in] samr_GroupInfoEnum level,
469 [out,ref,switch_is(level)] samr_GroupInfo *info
472 /************************/
474 NTSTATUS samr_SetGroupInfo(
475 [in,ref] policy_handle *group_handle,
476 [in] samr_GroupInfoEnum level,
477 [in,switch_is(level),ref] samr_GroupInfo *info
480 /************************/
482 NTSTATUS samr_AddGroupMember(
483 [in,ref] policy_handle *group_handle,
488 /************************/
490 NTSTATUS samr_DeleteDomainGroup(
491 [in,out,ref] policy_handle *group_handle
494 /************************/
496 NTSTATUS samr_DeleteGroupMember(
497 [in,ref] policy_handle *group_handle,
502 /************************/
506 [size_is(count)] uint32 *rids;
507 [size_is(count)] uint32 *types;
510 NTSTATUS samr_QueryGroupMember(
511 [in,ref] policy_handle *group_handle,
512 [out,ref] samr_RidTypeArray *rids
516 /************************/
520 win2003 seems to accept any data at all for the two integers
521 below, and doesn't seem to do anything with them that I can
522 see. Weird. I really expected the first integer to be a rid
523 and the second to be the attributes for that rid member.
525 NTSTATUS samr_SetMemberAttributesOfGroup(
526 [in,ref] policy_handle *group_handle,
527 [in] uint32 unknown1,
532 /************************/
534 NTSTATUS samr_OpenAlias (
535 [in,ref] policy_handle *domain_handle,
536 [in] samr_AliasAccessMask access_mask,
538 [out,ref] policy_handle *alias_handle
542 /************************/
548 lsa_String description;
554 ALIASINFODESCRIPTION = 3
555 } samr_AliasInfoEnum;
557 typedef [switch_type(samr_AliasInfoEnum)] union {
558 [case(ALIASINFOALL)] samr_AliasInfoAll all;
559 [case(ALIASINFONAME)] lsa_String name;
560 [case(ALIASINFODESCRIPTION)] lsa_String description;
563 NTSTATUS samr_QueryAliasInfo(
564 [in,ref] policy_handle *alias_handle,
565 [in] samr_AliasInfoEnum level,
566 [out,ref,switch_is(level)] samr_AliasInfo *info
569 /************************/
571 NTSTATUS samr_SetAliasInfo(
572 [in,ref] policy_handle *alias_handle,
573 [in] samr_AliasInfoEnum level,
574 [in,switch_is(level),ref] samr_AliasInfo *info
577 /************************/
579 NTSTATUS samr_DeleteDomAlias(
580 [in,out,ref] policy_handle *alias_handle
583 /************************/
585 NTSTATUS samr_AddAliasMember(
586 [in,ref] policy_handle *alias_handle,
587 [in,ref] dom_sid2 *sid
590 /************************/
592 NTSTATUS samr_DeleteAliasMember(
593 [in,ref] policy_handle *alias_handle,
594 [in,ref] dom_sid2 *sid
597 /************************/
599 NTSTATUS samr_GetMembersInAlias(
600 [in,ref] policy_handle *alias_handle,
601 [out,ref] lsa_SidArray *sids
604 /************************/
606 [public] NTSTATUS samr_OpenUser(
607 [in,ref] policy_handle *domain_handle,
608 [in] samr_UserAccessMask access_mask,
610 [out,ref] policy_handle *user_handle
613 /************************/
615 NTSTATUS samr_DeleteUser(
616 [in,out,ref] policy_handle *user_handle
619 /************************/
622 lsa_String account_name;
623 lsa_String full_name;
625 lsa_String description;
631 lsa_String unknown; /* settable, but doesn't stick. probably obsolete */
636 /* this is also used in samr and netlogon */
637 typedef [public, flag(NDR_PAHEX)] struct {
638 uint16 units_per_week;
639 [size_is(1260), length_is(units_per_week/8)] uint8 *bits;
643 lsa_String account_name;
644 lsa_String full_name;
647 lsa_String home_directory;
648 lsa_String home_drive;
649 lsa_String logon_script;
650 lsa_String profile_path;
651 lsa_String workstations;
654 NTTIME last_password_change;
655 NTTIME allow_password_change;
656 NTTIME force_password_change;
657 samr_LogonHours logon_hours;
658 uint16 bad_password_count;
660 samr_AcctFlags acct_flags;
664 samr_LogonHours logon_hours;
668 lsa_String account_name;
669 lsa_String full_name;
672 lsa_String home_directory;
673 lsa_String home_drive;
674 lsa_String logon_script;
675 lsa_String profile_path;
676 lsa_String description;
677 lsa_String workstations;
680 samr_LogonHours logon_hours;
681 uint16 bad_password_count;
683 NTTIME last_password_change;
685 samr_AcctFlags acct_flags;
689 lsa_String account_name;
690 lsa_String full_name;
694 lsa_String account_name;
698 lsa_String full_name;
706 lsa_String home_directory;
707 lsa_String home_drive;
711 lsa_String logon_script;
715 lsa_String profile_path;
719 lsa_String description;
723 lsa_String workstations;
727 samr_AcctFlags acct_flags;
735 lsa_String parameters;
738 /* this defines the bits used for fields_present in info21 */
739 typedef [bitmap32bit] bitmap {
740 SAMR_FIELD_ACCOUNT_NAME = 0x00000001,
741 SAMR_FIELD_FULL_NAME = 0x00000002,
742 SAMR_FIELD_RID = 0x00000004,
743 SAMR_FIELD_PRIMARY_GID = 0x00000008,
744 SAMR_FIELD_DESCRIPTION = 0x00000010,
745 SAMR_FIELD_COMMENT = 0x00000020,
746 SAMR_FIELD_HOME_DIRECTORY = 0x00000040,
747 SAMR_FIELD_HOME_DRIVE = 0x00000080,
748 SAMR_FIELD_LOGON_SCRIPT = 0x00000100,
749 SAMR_FIELD_PROFILE_PATH = 0x00000200,
750 SAMR_FIELD_WORKSTATIONS = 0x00000400,
751 SAMR_FIELD_LAST_LOGON = 0x00000800,
752 SAMR_FIELD_LAST_LOGOFF = 0x00001000,
753 SAMR_FIELD_LOGON_HOURS = 0x00002000,
754 SAMR_FIELD_BAD_PWD_COUNT = 0x00004000,
755 SAMR_FIELD_NUM_LOGONS = 0x00008000,
756 SAMR_FIELD_ALLOW_PWD_CHANGE = 0x00010000,
757 SAMR_FIELD_FORCE_PWD_CHANGE = 0x00020000,
758 SAMR_FIELD_LAST_PWD_CHANGE = 0x00040000,
759 SAMR_FIELD_ACCT_EXPIRY = 0x00080000,
760 SAMR_FIELD_ACCT_FLAGS = 0x00100000,
761 SAMR_FIELD_PARAMETERS = 0x00200000,
762 SAMR_FIELD_COUNTRY_CODE = 0x00400000,
763 SAMR_FIELD_CODE_PAGE = 0x00800000,
764 SAMR_FIELD_PASSWORD = 0x01000000, /* either of these */
765 SAMR_FIELD_PASSWORD2 = 0x02000000, /* two bits seems to work */
766 SAMR_FIELD_PRIVATE_DATA = 0x04000000,
767 SAMR_FIELD_EXPIRED_FLAG = 0x08000000,
768 SAMR_FIELD_SEC_DESC = 0x10000000,
769 SAMR_FIELD_OWF_PWD = 0x20000000
770 } samr_FieldsPresent;
775 NTTIME last_password_change;
777 NTTIME allow_password_change;
778 NTTIME force_password_change;
779 lsa_String account_name;
780 lsa_String full_name;
781 lsa_String home_directory;
782 lsa_String home_drive;
783 lsa_String logon_script;
784 lsa_String profile_path;
785 lsa_String description;
786 lsa_String workstations;
788 lsa_String parameters;
793 [size_is(buf_count)] uint8 *buffer;
796 samr_AcctFlags acct_flags;
797 samr_FieldsPresent fields_present;
798 samr_LogonHours logon_hours;
799 uint16 bad_password_count;
803 uint8 nt_password_set;
804 uint8 lm_password_set;
805 uint8 password_expired;
809 typedef [public, flag(NDR_PAHEX)] struct {
811 } samr_CryptPassword;
814 samr_UserInfo21 info;
815 samr_CryptPassword password;
819 samr_CryptPassword password;
823 typedef [flag(NDR_PAHEX)] struct {
825 } samr_CryptPasswordEx;
828 samr_UserInfo21 info;
829 samr_CryptPasswordEx password;
833 samr_CryptPasswordEx password;
837 typedef [switch_type(uint16)] union {
838 [case(1)] samr_UserInfo1 info1;
839 [case(2)] samr_UserInfo2 info2;
840 [case(3)] samr_UserInfo3 info3;
841 [case(4)] samr_UserInfo4 info4;
842 [case(5)] samr_UserInfo5 info5;
843 [case(6)] samr_UserInfo6 info6;
844 [case(7)] samr_UserInfo7 info7;
845 [case(8)] samr_UserInfo8 info8;
846 [case(9)] samr_UserInfo9 info9;
847 [case(10)] samr_UserInfo10 info10;
848 [case(11)] samr_UserInfo11 info11;
849 [case(12)] samr_UserInfo12 info12;
850 [case(13)] samr_UserInfo13 info13;
851 [case(14)] samr_UserInfo14 info14;
852 [case(16)] samr_UserInfo16 info16;
853 [case(17)] samr_UserInfo17 info17;
854 [case(20)] samr_UserInfo20 info20;
855 [case(21)] samr_UserInfo21 info21;
856 [case(23)] samr_UserInfo23 info23;
857 [case(24)] samr_UserInfo24 info24;
858 [case(25)] samr_UserInfo25 info25;
859 [case(26)] samr_UserInfo26 info26;
862 [public] NTSTATUS samr_QueryUserInfo(
863 [in,ref] policy_handle *user_handle,
865 [out,ref,switch_is(level)] samr_UserInfo *info
869 /************************/
871 [public] NTSTATUS samr_SetUserInfo(
872 [in,ref] policy_handle *user_handle,
874 [in,ref,switch_is(level)] samr_UserInfo *info
877 /************************/
879 typedef [public, flag(NDR_PAHEX)] struct {
884 this is a password change interface that doesn't give
885 the server the plaintext password. Depricated.
887 NTSTATUS samr_ChangePasswordUser(
888 [in,ref] policy_handle *user_handle,
889 [in] boolean8 lm_present,
890 [in] samr_Password *old_lm_crypted,
891 [in] samr_Password *new_lm_crypted,
892 [in] boolean8 nt_present,
893 [in] samr_Password *old_nt_crypted,
894 [in] samr_Password *new_nt_crypted,
895 [in] boolean8 cross1_present,
896 [in] samr_Password *nt_cross,
897 [in] boolean8 cross2_present,
898 [in] samr_Password *lm_cross
901 /************************/
904 typedef [public] struct {
906 samr_GroupAttrs attributes;
907 } samr_RidWithAttribute;
909 typedef [public] struct {
911 [size_is(count)] samr_RidWithAttribute *rids;
912 } samr_RidWithAttributeArray;
914 NTSTATUS samr_GetGroupsForUser(
915 [in,ref] policy_handle *user_handle,
916 [out,ref] samr_RidWithAttributeArray *rids
919 /************************/
925 samr_AcctFlags acct_flags;
926 lsa_String account_name;
927 lsa_String description;
928 lsa_String full_name;
929 } samr_DispEntryGeneral;
933 [size_is(count)] samr_DispEntryGeneral *entries;
934 } samr_DispInfoGeneral;
939 samr_AcctFlags acct_flags;
940 lsa_String account_name;
941 lsa_String description;
942 } samr_DispEntryFull;
946 [size_is(count)] samr_DispEntryFull *entries;
952 samr_GroupAttrs acct_flags;
953 lsa_String account_name;
954 lsa_String description;
955 } samr_DispEntryFullGroup;
959 [size_is(count)] samr_DispEntryFullGroup *entries;
960 } samr_DispInfoFullGroups;
964 lsa_AsciiString account_name;
965 } samr_DispEntryAscii;
969 [size_is(count)] samr_DispEntryAscii *entries;
970 } samr_DispInfoAscii;
972 typedef [switch_type(uint16)] union {
973 [case(1)] samr_DispInfoGeneral info1;/* users */
974 [case(2)] samr_DispInfoFull info2; /* trust accounts? */
975 [case(3)] samr_DispInfoFullGroups info3; /* groups */
976 [case(4)] samr_DispInfoAscii info4; /* users */
977 [case(5)] samr_DispInfoAscii info5; /* groups */
980 NTSTATUS samr_QueryDisplayInfo(
981 [in,ref] policy_handle *domain_handle,
983 [in] uint32 start_idx,
984 [in] uint32 max_entries,
985 [in] uint32 buf_size,
986 [out,ref] uint32 *total_size,
987 [out,ref] uint32 *returned_size,
988 [out,ref,switch_is(level)] samr_DispInfo *info
992 /************************/
996 this seems to be an alphabetic search function. The returned index
997 is the index for samr_QueryDisplayInfo needed to get names occurring
998 after the specified name. The supplied name does not need to exist
999 in the database (for example you can supply just a first letter for
1000 searching starting at that letter)
1002 The level corresponds to the samr_QueryDisplayInfo level
1004 NTSTATUS samr_GetDisplayEnumerationIndex(
1005 [in,ref] policy_handle *domain_handle,
1007 [in] lsa_String name,
1008 [out,ref] uint32 *idx
1013 /************************/
1017 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1019 NTSTATUS samr_TestPrivateFunctionsDomain(
1020 [in,ref] policy_handle *domain_handle
1024 /************************/
1028 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1030 NTSTATUS samr_TestPrivateFunctionsUser(
1031 [in,ref] policy_handle *user_handle
1035 /************************/
1039 uint16 min_password_length;
1040 samr_PasswordProperties password_properties;
1043 [public] NTSTATUS samr_GetUserPwInfo(
1044 [in,ref] policy_handle *user_handle,
1045 [out,ref] samr_PwInfo *info
1048 /************************/
1050 NTSTATUS samr_RemoveMemberFromForeignDomain(
1051 [in,ref] policy_handle *domain_handle,
1052 [in,ref] dom_sid2 *sid
1055 /************************/
1059 how is this different from QueryDomainInfo ??
1061 NTSTATUS samr_QueryDomainInfo2(
1062 [in,ref] policy_handle *domain_handle,
1064 [out,ref,switch_is(level)] samr_DomainInfo *info
1067 /************************/
1071 how is this different from QueryUserInfo ??
1073 NTSTATUS samr_QueryUserInfo2(
1074 [in,ref] policy_handle *user_handle,
1076 [out,ref,switch_is(level)] samr_UserInfo *info
1079 /************************/
1083 how is this different from QueryDisplayInfo??
1085 NTSTATUS samr_QueryDisplayInfo2(
1086 [in,ref] policy_handle *domain_handle,
1088 [in] uint32 start_idx,
1089 [in] uint32 max_entries,
1090 [in] uint32 buf_size,
1091 [out,ref] uint32 *total_size,
1092 [out,ref] uint32 *returned_size,
1093 [out,ref,switch_is(level)] samr_DispInfo *info
1096 /************************/
1100 how is this different from GetDisplayEnumerationIndex ??
1102 NTSTATUS samr_GetDisplayEnumerationIndex2(
1103 [in,ref] policy_handle *domain_handle,
1105 [in] lsa_String name,
1106 [out,ref] uint32 *idx
1110 /************************/
1112 NTSTATUS samr_CreateUser2(
1113 [in,ref] policy_handle *domain_handle,
1114 [in,ref] lsa_String *account_name,
1115 [in] samr_AcctFlags acct_flags,
1116 [in] samr_UserAccessMask access_mask,
1117 [out,ref] policy_handle *user_handle,
1118 [out,ref] uint32 *access_granted,
1119 [out,ref] uint32 *rid
1123 /************************/
1127 another duplicate. There must be a reason ....
1129 NTSTATUS samr_QueryDisplayInfo3(
1130 [in,ref] policy_handle *domain_handle,
1132 [in] uint32 start_idx,
1133 [in] uint32 max_entries,
1134 [in] uint32 buf_size,
1135 [out,ref] uint32 *total_size,
1136 [out,ref] uint32 *returned_size,
1137 [out,ref,switch_is(level)] samr_DispInfo *info
1140 /************************/
1142 NTSTATUS samr_AddMultipleMembersToAlias(
1143 [in,ref] policy_handle *alias_handle,
1144 [in,ref] lsa_SidArray *sids
1147 /************************/
1149 NTSTATUS samr_RemoveMultipleMembersFromAlias(
1150 [in,ref] policy_handle *alias_handle,
1151 [in,ref] lsa_SidArray *sids
1154 /************************/
1157 NTSTATUS samr_OemChangePasswordUser2(
1158 [in] lsa_AsciiString *server,
1159 [in,ref] lsa_AsciiString *account,
1160 [in] samr_CryptPassword *password,
1161 [in] samr_Password *hash
1164 /************************/
1166 NTSTATUS samr_ChangePasswordUser2(
1167 [in] lsa_String *server,
1168 [in,ref] lsa_String *account,
1169 [in] samr_CryptPassword *nt_password,
1170 [in] samr_Password *nt_verifier,
1171 [in] boolean8 lm_change,
1172 [in] samr_CryptPassword *lm_password,
1173 [in] samr_Password *lm_verifier
1176 /************************/
1178 NTSTATUS samr_GetDomPwInfo(
1179 [in] lsa_String *domain_name,
1180 [out,ref] samr_PwInfo *info
1183 /************************/
1185 NTSTATUS samr_Connect2(
1186 [in,string,charset(UTF16)] uint16 *system_name,
1187 [in] samr_ConnectAccessMask access_mask,
1188 [out,ref] policy_handle *connect_handle
1191 /************************/
1194 seems to be an exact alias for samr_SetUserInfo()
1196 [public] NTSTATUS samr_SetUserInfo2(
1197 [in,ref] policy_handle *user_handle,
1199 [in,ref,switch_is(level)] samr_UserInfo *info
1202 /************************/
1205 this one is mysterious. I have a few guesses, but nothing working yet
1207 NTSTATUS samr_SetBootKeyInformation(
1208 [in,ref] policy_handle *connect_handle,
1209 [in] uint32 unknown1,
1210 [in] uint32 unknown2,
1211 [in] uint32 unknown3
1214 /************************/
1216 NTSTATUS samr_GetBootKeyInformation(
1217 [in,ref] policy_handle *domain_handle,
1218 [out,ref] uint32 *unknown
1221 /************************/
1223 NTSTATUS samr_Connect3(
1224 [in,string,charset(UTF16)] uint16 *system_name,
1225 /* this unknown value seems to be completely ignored by w2k3 */
1226 [in] uint32 unknown,
1227 [in] samr_ConnectAccessMask access_mask,
1228 [out,ref] policy_handle *connect_handle
1231 /************************/
1233 NTSTATUS samr_Connect4(
1234 [in,string,charset(UTF16)] uint16 *system_name,
1235 [in] uint32 unknown,
1236 [in] samr_ConnectAccessMask access_mask,
1237 [out,ref] policy_handle *connect_handle
1240 /************************/
1243 typedef enum samr_RejectReason samr_RejectReason;
1246 samr_RejectReason reason;
1249 } samr_ChangeReject;
1251 NTSTATUS samr_ChangePasswordUser3(
1252 [in] lsa_String *server,
1253 [in,ref] lsa_String *account,
1254 [in] samr_CryptPassword *nt_password,
1255 [in] samr_Password *nt_verifier,
1256 [in] boolean8 lm_change,
1257 [in] samr_CryptPassword *lm_password,
1258 [in] samr_Password *lm_verifier,
1259 [in] samr_CryptPassword *password3,
1260 [out,ref] samr_DomInfo1 *dominfo,
1261 [out,ref] samr_ChangeReject *reject
1264 /************************/
1268 uint32 unknown1; /* w2k3 gives 3 */
1269 uint32 unknown2; /* w2k3 gives 0 */
1270 } samr_ConnectInfo1;
1273 [case(1)] samr_ConnectInfo1 info1;
1276 [public] NTSTATUS samr_Connect5(
1277 [in,string,charset(UTF16)] uint16 *system_name,
1278 [in] samr_ConnectAccessMask access_mask,
1279 [in] uint32 level_in,
1280 [in,ref,switch_is(level_in)] samr_ConnectInfo *info_in,
1281 [out,ref] uint32 *level_out,
1282 [out,ref,switch_is(*level_out)] samr_ConnectInfo *info_out,
1283 [out,ref] policy_handle *connect_handle
1286 /************************/
1288 NTSTATUS samr_RidToSid(
1289 [in,ref] policy_handle *domain_handle,
1291 [out,ref] dom_sid2 *sid
1295 /************************/
1299 this should set the DSRM password for the server, which is used
1300 when booting into Directory Services Recovery Mode on a DC. Win2003
1301 gives me NT_STATUS_NOT_SUPPORTED
1304 NTSTATUS samr_SetDsrmPassword(
1305 [in] lsa_String *name,
1306 [in] uint32 unknown,
1307 [in] samr_Password *hash
1311 /************************/
1313 /************************/
1314 typedef [bitmap32bit] bitmap {
1315 SAMR_VALIDATE_FIELD_PASSWORD_LAST_SET = 0x00000001,
1316 SAMR_VALIDATE_FIELD_BAD_PASSWORD_TIME = 0x00000002,
1317 SAMR_VALIDATE_FIELD_LOCKOUT_TIME = 0x00000004,
1318 SAMR_VALIDATE_FIELD_BAD_PASSWORD_COUNT = 0x00000008,
1319 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY_LENGTH = 0x00000010,
1320 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY = 0x00000020
1321 } samr_ValidateFieldsPresent;
1324 NetValidateAuthentication = 1,
1325 NetValidatePasswordChange= 2,
1326 NetValidatePasswordReset = 3
1327 } samr_ValidatePasswordLevel;
1329 /* NetApi maps samr_ValidationStatus errors to WERRORs. Haven't
1330 * identified the mapping of
1331 * - NERR_PasswordFilterError
1332 * - NERR_PasswordExpired and
1333 * - NERR_PasswordCantChange
1338 SAMR_VALIDATION_STATUS_SUCCESS = 0,
1339 SAMR_VALIDATION_STATUS_PASSWORD_MUST_CHANGE = 1,
1340 SAMR_VALIDATION_STATUS_ACCOUNT_LOCKED_OUT = 2,
1341 SAMR_VALIDATION_STATUS_BAD_PASSWORD = 4,
1342 SAMR_VALIDATION_STATUS_PWD_HISTORY_CONFLICT = 5,
1343 SAMR_VALIDATION_STATUS_PWD_TOO_SHORT = 6,
1344 SAMR_VALIDATION_STATUS_PWD_TOO_LONG = 7,
1345 SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH = 8,
1346 SAMR_VALIDATION_STATUS_PASSWORD_TOO_RECENT = 9
1347 } samr_ValidationStatus;
1351 [size_is(length)] uint8 *data;
1352 } samr_ValidationBlob;
1355 samr_ValidateFieldsPresent fields_present;
1356 NTTIME_hyper last_password_change;
1357 NTTIME_hyper bad_password_time;
1358 NTTIME_hyper lockout_time;
1359 uint32 bad_pwd_count;
1360 uint32 pwd_history_len;
1361 [size_is(pwd_history_len)] samr_ValidationBlob *pwd_history;
1362 } samr_ValidatePasswordInfo;
1365 samr_ValidatePasswordInfo info;
1366 samr_ValidationStatus status;
1367 } samr_ValidatePasswordRepCtr;
1369 typedef [switch_type(uint16)] union {
1370 [case(1)] samr_ValidatePasswordRepCtr ctr1;
1371 [case(2)] samr_ValidatePasswordRepCtr ctr2;
1372 [case(3)] samr_ValidatePasswordRepCtr ctr3;
1373 } samr_ValidatePasswordRep;
1376 samr_ValidatePasswordInfo info;
1377 lsa_StringLarge password;
1378 lsa_StringLarge account;
1379 samr_ValidationBlob hash;
1380 boolean8 pwd_must_change_at_next_logon;
1381 boolean8 clear_lockout;
1382 } samr_ValidatePasswordReq3;
1385 samr_ValidatePasswordInfo info;
1386 lsa_StringLarge password;
1387 lsa_StringLarge account;
1388 samr_ValidationBlob hash;
1389 boolean8 password_matched;
1390 } samr_ValidatePasswordReq2;
1393 samr_ValidatePasswordInfo info;
1394 boolean8 password_matched;
1395 } samr_ValidatePasswordReq1;
1397 typedef [switch_type(uint16)] union {
1398 [case(1)] samr_ValidatePasswordReq1 req1;
1399 [case(2)] samr_ValidatePasswordReq2 req2;
1400 [case(3)] samr_ValidatePasswordReq3 req3;
1401 } samr_ValidatePasswordReq;
1403 NTSTATUS samr_ValidatePassword(
1404 [in] samr_ValidatePasswordLevel level,
1405 [in,switch_is(level)] samr_ValidatePasswordReq req,
1406 [out,ref,switch_is(level)] samr_ValidatePasswordRep *rep