4 samr interface definition
8 Thanks to Todd Sabin for some information from his samr.idl in acltools
11 [ uuid(12345778-1234-abcd-ef00-0123456789ac),
13 pointer_default(unique)
18 NTSTATUS samr_Connect (
19 /* notice the lack of [string] */
20 [in] uint16 *system_name,
21 [in] uint32 access_mask,
22 [out,ref] policy_handle *handle
29 [in,out,ref] policy_handle *handle
36 [value(ndr_size_security_descriptor(r->sd))] uint32 sd_size;
37 [subcontext(4)] security_descriptor *sd;
40 NTSTATUS samr_SetSecurity (
41 [in,ref] policy_handle *handle,
43 [in,ref] samr_SdBuf *sdbuf
49 NTSTATUS samr_QuerySecurity (
50 [in,ref] policy_handle *handle,
52 [out] samr_SdBuf *sdbuf
59 shutdown the SAM - once you call this the SAM will be dead
61 NTSTATUS samr_Shutdown (
62 [in,ref] policy_handle *handle
68 [value(2*strlen_m(r->name))] uint16 name_len;
69 [value(r->name_len)] uint16 name_size;
73 NTSTATUS samr_LookupDomain (
74 [in,ref] policy_handle *handle,
75 [in,ref] samr_Name *domain,
90 [size_is(count)] samr_SamEntry *entries;
93 NTSTATUS samr_EnumDomains (
94 [in,ref] policy_handle *handle,
95 [in,out,ref] uint32 *resume_handle,
97 [out] samr_SamArray *sam,
98 [out] uint32 num_entries
102 /************************/
104 NTSTATUS samr_OpenDomain(
105 [in,ref] policy_handle *handle,
106 [in] uint32 access_mask,
107 [in,ref] dom_sid2 *sid,
108 [out,ref] policy_handle *domain_handle
111 /************************/
115 uint16 min_length_password;
116 uint16 password_history;
119 NTTIME min_passwordage;
123 ULONG8 force_logoff_time;
125 samr_Name domain; /* domain name */
126 samr_Name primary; /* PDC name if this is a BDC */
127 HYPER_T sequence_num;
137 ULONG8 force_logoff_time;
141 /* I'm not entirely sure this is a comment. win2003
142 allows it to be set, and it seems harmless (like a
143 comment) but I haven't seen it show up anywhere */
160 HYPER_T sequence_num;
161 NTTIME last_xxx_time;
165 uint32 unknown; /* w2k3 returns 1 */
169 ULONG8 force_logoff_time;
173 HYPER_T sequence_num;
174 uint32 unknown2; /* w2k3 returns 1 */
176 uint32 unknown3; /* w2k3 returns 1 */
180 HYPER_T lockout_duration;
181 HYPER_T lockout_window;
182 uint16 lockout_threshold;
186 HYPER_T lockout_duration;
187 HYPER_T lockout_window;
188 uint16 lockout_threshold;
192 HYPER_T sequence_num;
193 NTTIME last_xxx_time;
199 [case(1)] samr_DomInfo1 info1;
200 [case(2)] samr_DomInfo2 info2;
201 [case(3)] samr_DomInfo3 info3;
202 [case(4)] samr_DomInfo4 info4;
203 [case(5)] samr_DomInfo5 info5;
204 [case(6)] samr_DomInfo6 info6;
205 [case(7)] samr_DomInfo7 info7;
206 [case(8)] samr_DomInfo8 info8;
207 [case(9)] samr_DomInfo9 info9;
208 [case(11)] samr_DomInfo11 info11;
209 [case(12)] samr_DomInfo12 info12;
210 [case(13)] samr_DomInfo13 info13;
213 NTSTATUS samr_QueryDomainInfo(
214 [in,ref] policy_handle *handle,
216 [out,switch_is(level)] samr_DomainInfo *info
219 /************************/
222 only levels 1, 3, 4, 6, 7, 9, 12 are valid for this
225 NTSTATUS samr_SetDomainInfo(
226 [in,ref] policy_handle *handle,
228 [in,switch_is(level),ref] samr_DomainInfo *info
232 /************************/
234 NTSTATUS samr_CreateDomainGroup(
235 [in,ref] policy_handle *handle,
236 [in,ref] samr_Name *name,
237 [in] uint32 access_mask,
238 [out,ref] policy_handle *group_handle,
239 [out,ref] uint32 *rid
243 /************************/
245 NTSTATUS samr_EnumDomainGroups(
246 [in,ref] policy_handle *handle,
247 [in,out,ref] uint32 *resume_handle,
248 [in] uint32 max_size,
249 [out] samr_SamArray *sam,
250 [out] uint32 num_entries
253 /************************/
255 NTSTATUS samr_CreateUser(
256 [in,ref] policy_handle *handle,
257 [in,ref] samr_Name *username,
258 [in] uint32 access_mask,
259 [out,ref] policy_handle *acct_handle,
260 [out,ref] uint32 *rid
263 /************************/
265 NTSTATUS samr_EnumDomainUsers(
266 [in,ref] policy_handle *handle,
267 [in,out,ref] uint32 *resume_handle,
268 [in] uint32 acct_flags,
269 [in] uint32 max_size,
270 [out] samr_SamArray *sam,
271 [out] uint32 num_entries
274 /************************/
276 NTSTATUS samr_CreateDomAlias(
277 [in,ref] policy_handle *handle,
278 [in,ref] samr_Name *aliasname,
279 [in] uint32 access_mask,
280 [out,ref] policy_handle *acct_handle,
281 [out,ref] uint32 *rid
284 /************************/
286 NTSTATUS samr_EnumDomainAliases(
287 [in,ref] policy_handle *handle,
288 [in,out,ref] uint32 *resume_handle,
289 [in] uint32 max_size,
290 [out] samr_SamArray *sam,
291 [out] uint32 num_entries
294 /************************/
299 [size_is(count)] uint32 *ids;
302 NTSTATUS samr_GetAliasMembership(
303 [in,ref] policy_handle *handle,
304 [in,ref] lsa_SidArray *sids,
308 /************************/
311 NTSTATUS samr_LookupNames(
312 [in,ref] policy_handle *handle,
313 [in] uint32 num_names,
314 [in,ref,size_is(1000),length_is(num_names)] samr_Name *names,
320 /************************/
325 [size_is(count)] samr_Name *names;
328 NTSTATUS samr_LookupRids(
329 [in,ref] policy_handle *handle,
330 [in] uint32 num_rids,
331 [in,ref,size_is(1000),length_is(num_rids)] uint32 *rids,
332 [out] samr_Names names,
336 /************************/
338 NTSTATUS samr_OpenGroup(
339 [in,ref] policy_handle *handle,
340 [in] uint32 access_mask,
342 [out,ref] policy_handle *acct_handle
346 /************************/
353 samr_Name description;
361 samr_Name description;
362 } samr_GroupInfoDesciption;
372 [case(GroupInfoAll)] samr_GroupInfoAll all;
373 [case(GroupInfoName)] samr_Name name;
374 [case(GroupInfoX)] samr_GroupInfoX unknown;
375 [case(GroupInfoDescription)] samr_Name description;
378 NTSTATUS samr_QueryGroupInfo(
379 [in,ref] policy_handle *handle,
381 [out,switch_is(level)] samr_GroupInfo *info
384 /************************/
386 NTSTATUS samr_SetGroupInfo(
387 [in,ref] policy_handle *handle,
389 [in,switch_is(level),ref] samr_GroupInfo *info
392 /************************/
394 NTSTATUS samr_AddGroupMember(
395 [in,ref] policy_handle *handle,
400 /************************/
402 NTSTATUS samr_DeleteDomainGroup(
403 [in,out,ref] policy_handle *handle
406 /************************/
408 NTSTATUS samr_DeleteGroupMember(
409 [in,ref] policy_handle *handle,
414 /************************/
417 this isn't really valid IDL, but it does work. I suspect
418 I need to do some more pidl work to get this really right
427 samr_intArray *unknown7;
430 NTSTATUS samr_QueryGroupMember(
431 [in,ref] policy_handle *handle,
433 [out] samr_ridArray rids
437 /************************/
441 win2003 seems to accept any data at all for the two integers
442 below, and doesn't seem to do anything with them that I can
443 see. Weird. I really expected the first integer to be a rid
444 and the second to be the attributes for that rid member.
446 NTSTATUS samr_SetMemberAttributesOfGroup(
447 [in,ref] policy_handle *handle,
448 [in] uint32 unknown1,
453 /************************/
455 NTSTATUS samr_OpenAlias (
456 [in,ref] policy_handle *handle,
457 [in] uint32 access_mask,
459 [out,ref] policy_handle *acct_handle
463 /************************/
469 samr_Name description;
473 [case(1)] samr_AliasInfoAll all;
474 [case(2)] samr_Name name;
475 [case(3)] samr_Name description;
478 NTSTATUS samr_QueryAliasInfo(
479 [in,ref] policy_handle *handle,
481 [out,switch_is(level)] samr_AliasInfo *info
484 /************************/
486 NTSTATUS samr_SetAliasInfo(
487 [in,ref] policy_handle *handle,
489 [in,switch_is(level)] samr_AliasInfo info
492 /************************/
494 NTSTATUS samr_DeleteDomAlias(
495 [in,out,ref] policy_handle *handle
498 /************************/
500 NTSTATUS samr_AddAliasMember(
501 [in,ref] policy_handle *handle,
502 [in,ref] dom_sid2 *sid
505 /************************/
507 NTSTATUS samr_DeleteAliasMember(
508 [in,ref] policy_handle *handle,
509 [in,ref] dom_sid2 *sid
512 /************************/
514 NTSTATUS samr_GetMembersInAlias(
515 [in,ref] policy_handle *handle,
516 [out,ref] lsa_SidArray *sids
519 /************************/
521 NTSTATUS samr_OpenUser(
522 [in,ref] policy_handle *handle,
523 [in] uint32 access_mask,
525 [out,ref] policy_handle *acct_handle
528 /************************/
530 NTSTATUS samr_DeleteUser(
531 [in,out,ref] policy_handle *handle
534 /************************/
540 samr_Name description;
546 samr_Name unknown; /* settable, but doesn't stick. probably obsolete */
556 samr_Name home_directory;
557 samr_Name home_drive;
558 samr_Name logon_script;
560 samr_Name workstations;
563 NTTIME last_pwd_change;
564 NTTIME allow_pwd_change;
565 NTTIME force_pwd_change;
566 samr_LogonHours logon_hours;
567 uint16 bad_pwd_count;
573 samr_LogonHours logon_hours;
581 samr_Name home_directory;
582 samr_Name home_drive;
583 samr_Name logon_script;
585 samr_Name description;
586 samr_Name workstations;
589 samr_LogonHours logon_hours;
590 uint16 bad_pwd_count;
592 NTTIME last_pwd_change;
616 samr_Name home_drive;
620 samr_Name logon_script;
628 samr_Name description;
632 samr_Name workstations;
650 NTTIME last_pwd_change;
652 NTTIME allow_pwd_change;
653 NTTIME force_pwd_change;
657 samr_Name home_drive;
658 samr_Name logon_script;
660 samr_Name description;
661 samr_Name workstations;
668 [size_is(buf_count)] uint8 *buffer;
672 uint32 fields_present;
673 samr_LogonHours logon_hours;
674 uint16 bad_pwd_count;
684 typedef [flag(NDR_PAHEX)] struct {
686 } samr_CryptPassword;
689 samr_UserInfo21 info;
690 samr_CryptPassword password;
694 samr_CryptPassword password;
700 } samr_CryptPasswordEx;
703 samr_UserInfo21 info;
704 samr_CryptPasswordEx password;
708 samr_CryptPasswordEx password;
713 [case(1)] samr_UserInfo1 info1;
714 [case(2)] samr_UserInfo2 info2;
715 [case(3)] samr_UserInfo3 info3;
716 [case(4)] samr_UserInfo4 info4;
717 [case(5)] samr_UserInfo5 info5;
718 [case(6)] samr_UserInfo6 info6;
719 [case(7)] samr_UserInfo7 info7;
720 [case(8)] samr_UserInfo8 info8;
721 [case(9)] samr_UserInfo9 info9;
722 [case(10)] samr_UserInfo10 info10;
723 [case(11)] samr_UserInfo11 info11;
724 [case(12)] samr_UserInfo12 info12;
725 [case(13)] samr_UserInfo13 info13;
726 [case(14)] samr_UserInfo14 info14;
727 [case(16)] samr_UserInfo16 info16;
728 [case(17)] samr_UserInfo17 info17;
729 [case(20)] samr_UserInfo20 info20;
730 [case(21)] samr_UserInfo21 info21;
731 [case(23)] samr_UserInfo23 info23;
732 [case(24)] samr_UserInfo24 info24;
733 [case(25)] samr_UserInfo25 info25;
734 [case(26)] samr_UserInfo26 info26;
737 NTSTATUS samr_QueryUserInfo(
738 [in,ref] policy_handle *handle,
740 [out,switch_is(level)] samr_UserInfo *info
744 /************************/
746 NTSTATUS samr_SetUserInfo(
747 [in,ref] policy_handle *handle,
749 [in,ref,switch_is(level)] samr_UserInfo *info
752 /************************/
755 typedef [flag(NDR_PAHEX)] struct {
760 this is a password change interface that doesn't give
761 the server the plaintext password. Depricated.
763 NTSTATUS samr_ChangePasswordUser(
764 [in,ref] policy_handle *handle,
765 [in] bool8 lm_present,
766 [in] samr_Hash *old_lm_crypted,
767 [in] samr_Hash *new_lm_crypted,
768 [in] bool8 nt_present,
769 [in] samr_Hash *old_nt_crypted,
770 [in] samr_Hash *new_nt_crypted,
771 [in] bool8 cross1_present,
772 [in] samr_Hash *nt_cross,
773 [in] bool8 cross2_present,
774 [in] samr_Hash *lm_cross
777 /************************/
787 [size_is(count)] samr_RidType *rid;
790 NTSTATUS samr_GetGroupsForUser(
791 [in,ref] policy_handle *handle,
792 [out] samr_RidArray *rids
795 /************************/
802 samr_Name account_name;
804 samr_Name description;
805 } samr_DispEntryGeneral;
809 [size_is(count)] samr_DispEntryGeneral *entries;
810 } samr_DispInfoGeneral;
816 samr_Name account_name;
817 samr_Name description;
818 } samr_DispEntryFull;
822 [size_is(count)] samr_DispEntryFull *entries;
826 [value(strlen_m(r->name))] uint16 name_len;
827 [value(strlen_m(r->name))] uint16 name_size;
833 samr_AsciiName account_name;
834 } samr_DispEntryAscii;
838 [size_is(count)] samr_DispEntryAscii *entries;
839 } samr_DispInfoAscii;
842 [case(1)] samr_DispInfoGeneral info1;/* users */
843 [case(2)] samr_DispInfoFull info2; /* trust accounts? */
844 [case(3)] samr_DispInfoFull info3; /* groups */
845 [case(4)] samr_DispInfoAscii info4; /* users */
846 [case(5)] samr_DispInfoAscii info5; /* groups */
849 NTSTATUS samr_QueryDisplayInfo(
850 [in,ref] policy_handle *handle,
852 [in] uint32 start_idx,
853 [in] uint32 max_entries,
854 [in] uint32 buf_size,
855 [out] uint32 total_size,
856 [out] uint32 returned_size,
857 [out,switch_is(level)] samr_DispInfo info
861 /************************/
865 this seems to be an alphabetic search function. The returned index
866 is the index for samr_QueryDisplayInfo needed to get names occurring
867 after the specified name. The supplied name does not need to exist
868 in the database (for example you can supply just a first letter for
869 searching starting at that letter)
871 The level corresponds to the samr_QueryDisplayInfo level
873 NTSTATUS samr_GetDisplayEnumerationIndex(
874 [in,ref] policy_handle *handle,
882 /************************/
886 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
888 NTSTATUS samr_TestPrivateFunctionsDomain(
889 [in,ref] policy_handle *handle
893 /************************/
897 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
899 NTSTATUS samr_TestPrivateFunctionsUser(
900 [in,ref] policy_handle *handle
904 /************************/
907 /* password properties flags */
908 const uint32 DOMAIN_PASSWORD_COMPLEX = 0x00000001;
909 const uint32 DOMAIN_PASSWORD_NO_ANON_CHANGE = 0x00000002;
910 const uint32 DOMAIN_PASSWORD_NO_CLEAR_CHANGE = 0x00000004;
911 const uint32 DOMAIN_PASSWORD_STORE_CLEARTEXT = 0x00000010;
912 const uint32 DOMAIN_REFUSE_PASSWORD_CHANGE = 0x00000020;
916 uint32 password_properties;
919 NTSTATUS samr_GetUserPwInfo(
920 [in,ref] policy_handle *handle,
921 [out] samr_PwInfo info
924 /************************/
926 NTSTATUS samr_RemoveMemberFromForeignDomain(
927 [in,ref] policy_handle *handle,
928 [in,ref] dom_sid2 *sid
931 /************************/
935 how is this different from QueryDomainInfo ??
937 NTSTATUS samr_QueryDomainInfo2(
938 [in,ref] policy_handle *handle,
940 [out,switch_is(level)] samr_DomainInfo *info
943 /************************/
947 how is this different from QueryUserInfo ??
949 NTSTATUS samr_QueryUserInfo2(
950 [in,ref] policy_handle *handle,
952 [out,switch_is(level)] samr_UserInfo *info
955 /************************/
959 how is this different from QueryDisplayInfo??
961 NTSTATUS samr_QueryDisplayInfo2(
962 [in,ref] policy_handle *handle,
964 [in] uint32 start_idx,
965 [in] uint32 max_entries,
966 [in] uint32 buf_size,
967 [out] uint32 total_size,
968 [out] uint32 returned_size,
969 [out,switch_is(level)] samr_DispInfo info
972 /************************/
976 how is this different from GetDisplayEnumerationIndex ??
978 NTSTATUS samr_GetDisplayEnumerationIndex2(
979 [in,ref] policy_handle *handle,
986 /************************/
988 NTSTATUS samr_CreateUser2(
989 /************************/
990 [in,ref] policy_handle *handle,
991 [in,ref] samr_Name *username,
992 [in] uint32 acct_flags,
993 [in] uint32 access_mask,
994 [out,ref] policy_handle *acct_handle,
995 [out,ref] uint32 *access_granted,
996 [out,ref] uint32 *rid
1000 /************************/
1004 another duplicate. There must be a reason ....
1006 NTSTATUS samr_QueryDisplayInfo3(
1007 [in,ref] policy_handle *handle,
1009 [in] uint32 start_idx,
1010 [in] uint32 max_entries,
1011 [in] uint32 buf_size,
1012 [out] uint32 total_size,
1013 [out] uint32 returned_size,
1014 [out,switch_is(level)] samr_DispInfo info
1017 /************************/
1019 NTSTATUS samr_AddMultipleMembersToAlias(
1020 [in,ref] policy_handle *handle,
1021 [in,ref] lsa_SidArray *sids
1024 /************************/
1026 NTSTATUS samr_RemoveMultipleMembersFromAlias(
1027 [in,ref] policy_handle *handle,
1028 [in,ref] lsa_SidArray *sids
1031 /************************/
1034 NTSTATUS samr_OemChangePasswordUser2(
1035 [in] samr_AsciiName *server,
1036 [in,ref] samr_AsciiName *account,
1037 [in] samr_CryptPassword *password,
1038 [in] samr_Hash *hash
1041 /************************/
1043 NTSTATUS samr_ChangePasswordUser2(
1044 [in] samr_Name *server,
1045 [in,ref] samr_Name *account,
1046 [in] samr_CryptPassword *nt_password,
1047 [in] samr_Hash *nt_verifier,
1048 [in] bool8 lm_change,
1049 [in] samr_CryptPassword *lm_password,
1050 [in] samr_Hash *lm_verifier
1053 /************************/
1055 NTSTATUS samr_GetDomPwInfo(
1056 [in] samr_Name *name,
1057 [out] samr_PwInfo info
1060 /************************/
1062 NTSTATUS samr_Connect2(
1063 [in] unistr *system_name,
1064 [in] uint32 access_mask,
1065 [out,ref] policy_handle *handle
1068 /************************/
1071 seems to be an exact alias for samr_SetUserInfo()
1073 NTSTATUS samr_SetUserInfo2(
1074 [in,ref] policy_handle *handle,
1076 [in,ref,switch_is(level)] samr_UserInfo *info
1079 /************************/
1082 this one is mysterious. I have a few guesses, but nothing working yet
1084 NTSTATUS samr_SetBootKeyInformation(
1085 [in,ref] policy_handle *handle,
1086 [in] uint32 unknown1,
1087 [in] uint32 unknown2,
1088 [in] uint32 unknown3
1091 /************************/
1093 NTSTATUS samr_GetBootKeyInformation(
1094 [in,ref] policy_handle *handle,
1095 [out] uint32 unknown
1098 /************************/
1100 NTSTATUS samr_Connect3(
1101 [in] unistr *system_name,
1102 /* this unknown value seems to be completely ignored by w2k3 */
1103 [in] uint32 unknown,
1104 [in] uint32 access_mask,
1105 [out,ref] policy_handle *handle
1108 /************************/
1110 NTSTATUS samr_Connect4(
1111 [in] unistr *system_name,
1112 [in] uint32 unknown,
1113 [in] uint32 access_mask,
1114 [out,ref] policy_handle *handle
1117 /************************/
1119 NTSTATUS samr_ChangePasswordUser3(
1120 [in] samr_Name *server,
1121 [in,ref] samr_Name *account,
1122 [in] samr_CryptPassword *nt_password,
1123 [in] samr_Hash *nt_verifier,
1124 [in] bool8 lm_change,
1125 [in] samr_CryptPassword *lm_password,
1126 [in] samr_Hash *lm_verifier,
1127 [in] samr_CryptPassword *password3,
1128 [out] uint32 unknown1,
1129 [out] uint32 unknown2
1132 /************************/
1136 uint32 unknown1; /* w2k3 gives 3 */
1137 uint32 unknown2; /* w2k3 gives 0 */
1138 } samr_ConnectInfo1;
1141 [case(1)] samr_ConnectInfo1 info1;
1144 NTSTATUS samr_Connect5(
1145 [in] unistr *system_name,
1146 [in] uint32 access_mask,
1147 [in,out] uint32 level,
1148 [in,out,switch_is(level),ref] samr_ConnectInfo *info,
1149 [out,ref] policy_handle *handle
1152 /************************/
1154 NTSTATUS samr_RidToSid(
1155 [in,ref] policy_handle *handle,
1161 /************************/
1165 this should set the DSRM password for the server, which is used
1166 when booting into Directory Services Recovery Mode on a DC. Win2003
1167 gives me NT_STATUS_NOT_SUPPORTED
1170 NTSTATUS samr_SetDsrmPassword(
1171 [in] samr_Name *name,
1172 [in] uint32 unknown,
1173 [in] samr_Hash *hash
1177 /************************/
1180 I haven't been able to work out the format of this one yet.
1181 Seems to start with a switch level for a union?
1183 NTSTATUS samr_ValidatePassword();