4 samr interface definition
6 import "misc.idl", "lsa.idl", "security.idl";
9 Thanks to Todd Sabin for some information from his samr.idl in acltools
12 [ uuid("12345778-1234-abcd-ef00-0123456789ac"),
14 endpoint("ncacn_np:[\\pipe\\samr]","ncacn_ip_tcp:", "ncalrpc:"),
15 pointer_default(unique)
18 typedef bitmap security_secinfo security_secinfo;
20 /* account control (acct_flags) bits */
21 typedef [public,bitmap32bit] bitmap {
22 ACB_DISABLED = 0x00000001, /* 1 = User account disabled */
23 ACB_HOMDIRREQ = 0x00000002, /* 1 = Home directory required */
24 ACB_PWNOTREQ = 0x00000004, /* 1 = User password not required */
25 ACB_TEMPDUP = 0x00000008, /* 1 = Temporary duplicate account */
26 ACB_NORMAL = 0x00000010, /* 1 = Normal user account */
27 ACB_MNS = 0x00000020, /* 1 = MNS logon user account */
28 ACB_DOMTRUST = 0x00000040, /* 1 = Interdomain trust account */
29 ACB_WSTRUST = 0x00000080, /* 1 = Workstation trust account */
30 ACB_SVRTRUST = 0x00000100, /* 1 = Server trust account */
31 ACB_PWNOEXP = 0x00000200, /* 1 = User password does not expire */
32 ACB_AUTOLOCK = 0x00000400, /* 1 = Account auto locked */
33 ACB_ENC_TXT_PWD_ALLOWED = 0x00000800, /* 1 = Encryped text password is allowed */
34 ACB_SMARTCARD_REQUIRED = 0x00001000, /* 1 = Smart Card required */
35 ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */
36 ACB_NOT_DELEGATED = 0x00004000, /* 1 = Not delegated */
37 ACB_USE_DES_KEY_ONLY = 0x00008000, /* 1 = Use DES key only */
38 ACB_DONT_REQUIRE_PREAUTH = 0x00010000, /* 1 = Preauth not required */
39 ACB_PW_EXPIRED = 0x00020000, /* 1 = Password Expired */
40 ACB_NO_AUTH_DATA_REQD = 0x00080000 /* 1 = No authorization data required */
43 /* SAM server specific access rights */
45 typedef [bitmap32bit] bitmap {
46 SAMR_ACCESS_CONNECT_TO_SERVER = 0x00000001,
47 SAMR_ACCESS_SHUTDOWN_SERVER = 0x00000002,
48 SAMR_ACCESS_INITIALIZE_SERVER = 0x00000004,
49 SAMR_ACCESS_CREATE_DOMAIN = 0x00000008,
50 SAMR_ACCESS_ENUM_DOMAINS = 0x00000010,
51 SAMR_ACCESS_OPEN_DOMAIN = 0x00000020
52 } samr_ConnectAccessMask;
54 const int SAMR_ACCESS_ALL_ACCESS = 0x0000003F;
56 const int GENERIC_RIGHTS_SAM_ALL_ACCESS =
57 (STANDARD_RIGHTS_REQUIRED_ACCESS |
58 SAMR_ACCESS_ALL_ACCESS);
60 const int GENERIC_RIGHTS_SAM_READ =
61 (STANDARD_RIGHTS_READ_ACCESS |
62 SAMR_ACCESS_ENUM_DOMAINS);
64 const int GENERIC_RIGHTS_SAM_WRITE =
65 (STANDARD_RIGHTS_WRITE_ACCESS |
66 SAMR_ACCESS_CREATE_DOMAIN |
67 SAMR_ACCESS_INITIALIZE_SERVER |
68 SAMR_ACCESS_SHUTDOWN_SERVER);
70 const int GENERIC_RIGHTS_SAM_EXECUTE =
71 (STANDARD_RIGHTS_EXECUTE_ACCESS |
72 SAMR_ACCESS_OPEN_DOMAIN |
73 SAMR_ACCESS_CONNECT_TO_SERVER);
75 /* User Object specific access rights */
77 typedef [bitmap32bit] bitmap {
78 SAMR_USER_ACCESS_GET_NAME_ETC = 0x00000001,
79 SAMR_USER_ACCESS_GET_LOCALE = 0x00000002,
80 SAMR_USER_ACCESS_SET_LOC_COM = 0x00000004,
81 SAMR_USER_ACCESS_GET_LOGONINFO = 0x00000008,
82 SAMR_USER_ACCESS_GET_ATTRIBUTES = 0x00000010,
83 SAMR_USER_ACCESS_SET_ATTRIBUTES = 0x00000020,
84 SAMR_USER_ACCESS_CHANGE_PASSWORD = 0x00000040,
85 SAMR_USER_ACCESS_SET_PASSWORD = 0x00000080,
86 SAMR_USER_ACCESS_GET_GROUPS = 0x00000100,
87 SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP = 0x00000200,
88 SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP = 0x00000400
89 } samr_UserAccessMask;
91 const int SAMR_USER_ACCESS_ALL_ACCESS = 0x000007FF;
93 const int GENERIC_RIGHTS_USER_ALL_ACCESS =
94 (STANDARD_RIGHTS_REQUIRED_ACCESS |
95 SAMR_USER_ACCESS_ALL_ACCESS); /* 0x000f07ff */
97 const int GENERIC_RIGHTS_USER_READ =
98 (STANDARD_RIGHTS_READ_ACCESS |
99 SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP |
100 SAMR_USER_ACCESS_GET_GROUPS |
101 SAMR_USER_ACCESS_GET_ATTRIBUTES |
102 SAMR_USER_ACCESS_GET_LOGONINFO |
103 SAMR_USER_ACCESS_GET_LOCALE); /* 0x0002031a */
105 const int GENERIC_RIGHTS_USER_WRITE =
106 (STANDARD_RIGHTS_WRITE_ACCESS |
107 SAMR_USER_ACCESS_CHANGE_PASSWORD |
108 SAMR_USER_ACCESS_SET_LOC_COM |
109 SAMR_USER_ACCESS_SET_ATTRIBUTES |
110 SAMR_USER_ACCESS_SET_PASSWORD |
111 SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP); /* 0x000204e4 */
113 const int GENERIC_RIGHTS_USER_EXECUTE =
114 (STANDARD_RIGHTS_EXECUTE_ACCESS |
115 SAMR_USER_ACCESS_CHANGE_PASSWORD |
116 SAMR_USER_ACCESS_GET_NAME_ETC); /* 0x00020041 */
118 /* Domain Object specific access rights */
120 typedef [bitmap32bit] bitmap {
121 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 = 0x00000001,
122 SAMR_DOMAIN_ACCESS_SET_INFO_1 = 0x00000002,
123 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 = 0x00000004,
124 SAMR_DOMAIN_ACCESS_SET_INFO_2 = 0x00000008,
125 SAMR_DOMAIN_ACCESS_CREATE_USER = 0x00000010,
126 SAMR_DOMAIN_ACCESS_CREATE_GROUP = 0x00000020,
127 SAMR_DOMAIN_ACCESS_CREATE_ALIAS = 0x00000040,
128 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS = 0x00000080,
129 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS = 0x00000100,
130 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT = 0x00000200,
131 SAMR_DOMAIN_ACCESS_SET_INFO_3 = 0x00000400
132 } samr_DomainAccessMask;
134 const int SAMR_DOMAIN_ACCESS_ALL_ACCESS = 0x000007FF;
136 const int GENERIC_RIGHTS_DOMAIN_ALL_ACCESS =
137 (STANDARD_RIGHTS_REQUIRED_ACCESS |
138 SAMR_DOMAIN_ACCESS_ALL_ACCESS);
140 const int GENERIC_RIGHTS_DOMAIN_READ =
141 (STANDARD_RIGHTS_READ_ACCESS |
142 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS |
143 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2);
145 const int GENERIC_RIGHTS_DOMAIN_WRITE =
146 (STANDARD_RIGHTS_WRITE_ACCESS |
147 SAMR_DOMAIN_ACCESS_SET_INFO_3 |
148 SAMR_DOMAIN_ACCESS_CREATE_ALIAS |
149 SAMR_DOMAIN_ACCESS_CREATE_GROUP |
150 SAMR_DOMAIN_ACCESS_CREATE_USER |
151 SAMR_DOMAIN_ACCESS_SET_INFO_2 |
152 SAMR_DOMAIN_ACCESS_SET_INFO_1);
154 const int GENERIC_RIGHTS_DOMAIN_EXECUTE =
155 (STANDARD_RIGHTS_EXECUTE_ACCESS |
156 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
157 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
158 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1);
160 typedef [bitmap32bit] bitmap {
161 SAMR_GROUP_ACCESS_LOOKUP_INFO = 0x00000001,
162 SAMR_GROUP_ACCESS_SET_INFO = 0x00000002,
163 SAMR_GROUP_ACCESS_ADD_MEMBER = 0x00000004,
164 SAMR_GROUP_ACCESS_REMOVE_MEMBER = 0x00000008,
165 SAMR_GROUP_ACCESS_GET_MEMBERS = 0x00000010
166 } samr_GroupAccessMask;
168 typedef [bitmap32bit] bitmap {
169 SAMR_ALIAS_ACCESS_ADD_MEMBER = 0x00000001,
170 SAMR_ALIAS_ACCESS_REMOVE_MEMBER = 0x00000002,
171 SAMR_ALIAS_ACCESS_GET_MEMBERS = 0x00000004,
172 SAMR_ALIAS_ACCESS_LOOKUP_INFO = 0x00000008,
173 SAMR_ALIAS_ACCESS_SET_INFO = 0x00000010
174 } samr_AliasAccessMask;
178 NTSTATUS samr_Connect (
179 /* notice the lack of [string] */
180 [in,unique] uint16 *system_name,
181 [in] samr_ConnectAccessMask access_mask,
182 [out,ref] policy_handle *connect_handle
188 [public] NTSTATUS samr_Close (
189 [in,out,ref] policy_handle *handle
195 NTSTATUS samr_SetSecurity (
196 [in,ref] policy_handle *handle,
197 [in] security_secinfo sec_info,
198 [in,ref] sec_desc_buf *sdbuf
204 NTSTATUS samr_QuerySecurity (
205 [in,ref] policy_handle *handle,
206 [in] security_secinfo sec_info,
207 [out,ref] sec_desc_buf **sdbuf
214 shutdown the SAM - once you call this the SAM will be dead
216 NTSTATUS samr_Shutdown (
217 [in,ref] policy_handle *connect_handle
222 NTSTATUS samr_LookupDomain (
223 [in,ref] policy_handle *connect_handle,
224 [in,ref] lsa_String *domain_name,
225 [out,ref] dom_sid2 **sid
239 [size_is(count)] samr_SamEntry *entries;
242 NTSTATUS samr_EnumDomains (
243 [in] policy_handle *connect_handle,
244 [in,out,ref] uint32 *resume_handle,
245 [out,ref] samr_SamArray **sam,
246 [in] uint32 buf_size,
247 [out,ref] uint32 *num_entries
251 /************************/
253 [public] NTSTATUS samr_OpenDomain(
254 [in,ref] policy_handle *connect_handle,
255 [in] samr_DomainAccessMask access_mask,
256 [in,ref] dom_sid2 *sid,
257 [out,ref] policy_handle *domain_handle
260 /************************/
263 typedef [v1_enum] enum {
264 SAMR_ROLE_STANDALONE = 0,
265 SAMR_ROLE_DOMAIN_MEMBER = 1,
266 SAMR_ROLE_DOMAIN_BDC = 2,
267 SAMR_ROLE_DOMAIN_PDC = 3
270 /* password properties flags */
271 typedef [public,bitmap32bit] bitmap {
272 DOMAIN_PASSWORD_COMPLEX = 0x00000001,
273 DOMAIN_PASSWORD_NO_ANON_CHANGE = 0x00000002,
274 DOMAIN_PASSWORD_NO_CLEAR_CHANGE = 0x00000004,
275 DOMAIN_PASSWORD_LOCKOUT_ADMINS = 0x00000008,
276 DOMAIN_PASSWORD_STORE_CLEARTEXT = 0x00000010,
277 DOMAIN_REFUSE_PASSWORD_CHANGE = 0x00000020
278 } samr_PasswordProperties;
281 uint16 min_password_length;
282 uint16 password_history_length;
283 samr_PasswordProperties password_properties;
284 /* yes, these are signed. They are in negative 100ns */
285 dlong max_password_age;
286 dlong min_password_age;
290 NTTIME force_logoff_time;
291 lsa_String oem_information; /* comment */
292 lsa_String domain_name;
293 lsa_String primary; /* PDC name if this is a BDC */
301 } samr_DomGeneralInformation;
304 NTTIME force_logoff_time;
308 lsa_String oem_information; /* comment */
309 } samr_DomOEMInformation;
312 lsa_String domain_name;
325 NTTIME domain_create_time;
329 uint32 unknown; /* w2k3 returns 1 */
333 samr_DomGeneralInformation general;
334 hyper lockout_duration;
335 hyper lockout_window;
336 uint16 lockout_threshold;
337 } samr_DomGeneralInformation2;
340 hyper lockout_duration;
341 hyper lockout_window;
342 uint16 lockout_threshold;
347 NTTIME domain_create_time;
352 typedef [switch_type(uint16)] union {
353 [case(1)] samr_DomInfo1 info1;
354 [case(2)] samr_DomGeneralInformation general;
355 [case(3)] samr_DomInfo3 info3;
356 [case(4)] samr_DomOEMInformation oem;
357 [case(5)] samr_DomInfo5 info5;
358 [case(6)] samr_DomInfo6 info6;
359 [case(7)] samr_DomInfo7 info7;
360 [case(8)] samr_DomInfo8 info8;
361 [case(9)] samr_DomInfo9 info9;
362 [case(11)] samr_DomGeneralInformation2 general2;
363 [case(12)] samr_DomInfo12 info12;
364 [case(13)] samr_DomInfo13 info13;
367 NTSTATUS samr_QueryDomainInfo(
368 [in,ref] policy_handle *domain_handle,
370 [out,ref,switch_is(level)] samr_DomainInfo **info
373 /************************/
376 only levels 1, 3, 4, 6, 7, 9, 12 are valid for this
379 NTSTATUS samr_SetDomainInfo(
380 [in,ref] policy_handle *domain_handle,
382 [in,switch_is(level),ref] samr_DomainInfo *info
386 /************************/
388 NTSTATUS samr_CreateDomainGroup(
389 [in,ref] policy_handle *domain_handle,
390 [in,ref] lsa_String *name,
391 [in] samr_GroupAccessMask access_mask,
392 [out,ref] policy_handle *group_handle,
393 [out,ref] uint32 *rid
397 /************************/
400 const int MAX_SAM_ENTRIES_W2K = 0x400; /* 1024 */
401 const int MAX_SAM_ENTRIES_W95 = 50;
403 NTSTATUS samr_EnumDomainGroups(
404 [in] policy_handle *domain_handle,
405 [in,out,ref] uint32 *resume_handle,
406 [out,ref] samr_SamArray **sam,
407 [in] uint32 max_size,
408 [out,ref] uint32 *num_entries
411 /************************/
413 NTSTATUS samr_CreateUser(
414 [in,ref] policy_handle *domain_handle,
415 [in,ref] lsa_String *account_name,
416 [in] samr_UserAccessMask access_mask,
417 [out,ref] policy_handle *user_handle,
418 [out,ref] uint32 *rid
421 /************************/
425 /* w2k3 treats max_size as max_users*54 and sets the
426 resume_handle as the rid of the last user sent
428 const int SAMR_ENUM_USERS_MULTIPLIER = 54;
430 NTSTATUS samr_EnumDomainUsers(
431 [in] policy_handle *domain_handle,
432 [in,out,ref] uint32 *resume_handle,
433 [in] samr_AcctFlags acct_flags,
434 [out,ref] samr_SamArray **sam,
435 [in] uint32 max_size,
436 [out,ref] uint32 *num_entries
439 /************************/
441 NTSTATUS samr_CreateDomAlias(
442 [in,ref] policy_handle *domain_handle,
443 [in,ref] lsa_String *alias_name,
444 [in] samr_AliasAccessMask access_mask,
445 [out,ref] policy_handle *alias_handle,
446 [out,ref] uint32 *rid
449 /************************/
451 NTSTATUS samr_EnumDomainAliases(
452 [in] policy_handle *domain_handle,
453 [in,out,ref] uint32 *resume_handle,
454 [out,ref] samr_SamArray **sam,
455 [in] uint32 max_size,
456 [out,ref] uint32 *num_entries
459 /************************/
463 [range(0,1024)] uint32 count;
464 [size_is(count)] uint32 *ids;
467 NTSTATUS samr_GetAliasMembership(
468 [in,ref] policy_handle *domain_handle,
469 [in,ref] lsa_SidArray *sids,
470 [out,ref] samr_Ids *rids
473 /************************/
476 [public] NTSTATUS samr_LookupNames(
477 [in,ref] policy_handle *domain_handle,
478 [in,range(0,1000)] uint32 num_names,
479 [in,size_is(1000),length_is(num_names)] lsa_String names[],
480 [out,ref] samr_Ids *rids,
481 [out,ref] samr_Ids *types
485 /************************/
487 NTSTATUS samr_LookupRids(
488 [in,ref] policy_handle *domain_handle,
489 [in,range(0,1000)] uint32 num_rids,
490 [in,size_is(1000),length_is(num_rids)] uint32 rids[],
491 [out,ref] lsa_Strings *names,
492 [out,ref] samr_Ids *types
495 /************************/
497 NTSTATUS samr_OpenGroup(
498 [in,ref] policy_handle *domain_handle,
499 [in] samr_GroupAccessMask access_mask,
501 [out,ref] policy_handle *group_handle
504 /* Group attributes */
505 typedef [public,bitmap32bit] bitmap {
506 SE_GROUP_MANDATORY = 0x00000001,
507 SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
508 SE_GROUP_ENABLED = 0x00000004,
509 SE_GROUP_OWNER = 0x00000008,
510 SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010,
511 SE_GROUP_RESOURCE = 0x20000000,
512 SE_GROUP_LOGON_ID = 0xC0000000
515 /************************/
520 samr_GroupAttrs attributes;
522 lsa_String description;
526 samr_GroupAttrs attributes;
527 } samr_GroupInfoAttributes;
530 lsa_String description;
531 } samr_GroupInfoDescription;
536 GROUPINFOATTRIBUTES = 3,
537 GROUPINFODESCRIPTION = 4,
539 } samr_GroupInfoEnum;
541 typedef [switch_type(samr_GroupInfoEnum)] union {
542 [case(GROUPINFOALL)] samr_GroupInfoAll all;
543 [case(GROUPINFONAME)] lsa_String name;
544 [case(GROUPINFOATTRIBUTES)] samr_GroupInfoAttributes attributes;
545 [case(GROUPINFODESCRIPTION)] lsa_String description;
546 [case(GROUPINFOALL2)] samr_GroupInfoAll all2;
549 NTSTATUS samr_QueryGroupInfo(
550 [in,ref] policy_handle *group_handle,
551 [in] samr_GroupInfoEnum level,
552 [out,ref,switch_is(level)] samr_GroupInfo **info
555 /************************/
557 NTSTATUS samr_SetGroupInfo(
558 [in,ref] policy_handle *group_handle,
559 [in] samr_GroupInfoEnum level,
560 [in,switch_is(level),ref] samr_GroupInfo *info
563 /************************/
565 NTSTATUS samr_AddGroupMember(
566 [in,ref] policy_handle *group_handle,
571 /************************/
573 NTSTATUS samr_DeleteDomainGroup(
574 [in,out,ref] policy_handle *group_handle
577 /************************/
579 NTSTATUS samr_DeleteGroupMember(
580 [in,ref] policy_handle *group_handle,
585 /************************/
589 [size_is(count)] uint32 *rids;
590 [size_is(count)] uint32 *types;
593 NTSTATUS samr_QueryGroupMember(
594 [in,ref] policy_handle *group_handle,
595 [out,ref] samr_RidTypeArray **rids
599 /************************/
603 win2003 seems to accept any data at all for the two integers
604 below, and doesn't seem to do anything with them that I can
605 see. Weird. I really expected the first integer to be a rid
606 and the second to be the attributes for that rid member.
608 NTSTATUS samr_SetMemberAttributesOfGroup(
609 [in,ref] policy_handle *group_handle,
610 [in] uint32 unknown1,
615 /************************/
617 NTSTATUS samr_OpenAlias (
618 [in,ref] policy_handle *domain_handle,
619 [in] samr_AliasAccessMask access_mask,
621 [out,ref] policy_handle *alias_handle
625 /************************/
631 lsa_String description;
637 ALIASINFODESCRIPTION = 3
638 } samr_AliasInfoEnum;
640 typedef [switch_type(samr_AliasInfoEnum)] union {
641 [case(ALIASINFOALL)] samr_AliasInfoAll all;
642 [case(ALIASINFONAME)] lsa_String name;
643 [case(ALIASINFODESCRIPTION)] lsa_String description;
646 NTSTATUS samr_QueryAliasInfo(
647 [in,ref] policy_handle *alias_handle,
648 [in] samr_AliasInfoEnum level,
649 [out,ref,switch_is(level)] samr_AliasInfo **info
652 /************************/
654 NTSTATUS samr_SetAliasInfo(
655 [in,ref] policy_handle *alias_handle,
656 [in] samr_AliasInfoEnum level,
657 [in,switch_is(level),ref] samr_AliasInfo *info
660 /************************/
662 NTSTATUS samr_DeleteDomAlias(
663 [in,out,ref] policy_handle *alias_handle
666 /************************/
668 NTSTATUS samr_AddAliasMember(
669 [in,ref] policy_handle *alias_handle,
670 [in,ref] dom_sid2 *sid
673 /************************/
675 NTSTATUS samr_DeleteAliasMember(
676 [in,ref] policy_handle *alias_handle,
677 [in,ref] dom_sid2 *sid
680 /************************/
682 NTSTATUS samr_GetMembersInAlias(
683 [in,ref] policy_handle *alias_handle,
684 [out,ref] lsa_SidArray *sids
687 /************************/
689 [public] NTSTATUS samr_OpenUser(
690 [in,ref] policy_handle *domain_handle,
691 [in] samr_UserAccessMask access_mask,
693 [out,ref] policy_handle *user_handle
696 /************************/
698 NTSTATUS samr_DeleteUser(
699 [in,out,ref] policy_handle *user_handle
702 /************************/
705 lsa_String account_name;
706 lsa_String full_name;
708 lsa_String description;
714 lsa_String unknown; /* settable, but doesn't stick. probably obsolete */
719 /* this is also used in samr and netlogon */
720 typedef [public, flag(NDR_PAHEX)] struct {
721 uint16 units_per_week;
722 [size_is(1260), length_is(units_per_week/8)] uint8 *bits;
726 lsa_String account_name;
727 lsa_String full_name;
730 lsa_String home_directory;
731 lsa_String home_drive;
732 lsa_String logon_script;
733 lsa_String profile_path;
734 lsa_String workstations;
737 NTTIME last_password_change;
738 NTTIME allow_password_change;
739 NTTIME force_password_change;
740 samr_LogonHours logon_hours;
741 uint16 bad_password_count;
743 samr_AcctFlags acct_flags;
747 samr_LogonHours logon_hours;
751 lsa_String account_name;
752 lsa_String full_name;
755 lsa_String home_directory;
756 lsa_String home_drive;
757 lsa_String logon_script;
758 lsa_String profile_path;
759 lsa_String description;
760 lsa_String workstations;
763 samr_LogonHours logon_hours;
764 uint16 bad_password_count;
766 NTTIME last_password_change;
768 samr_AcctFlags acct_flags;
772 lsa_String account_name;
773 lsa_String full_name;
777 lsa_String account_name;
781 lsa_String full_name;
789 lsa_String home_directory;
790 lsa_String home_drive;
794 lsa_String logon_script;
798 lsa_String profile_path;
802 lsa_String description;
806 lsa_String workstations;
810 samr_AcctFlags acct_flags;
817 typedef [public, flag(NDR_PAHEX)] struct {
822 samr_Password lm_pwd;
823 samr_Password nt_pwd;
824 boolean8 lm_pwd_active;
825 boolean8 nt_pwd_active;
829 lsa_BinaryString parameters;
832 /* this defines the bits used for fields_present in info21 */
833 typedef [bitmap32bit] bitmap {
834 SAMR_FIELD_ACCOUNT_NAME = 0x00000001,
835 SAMR_FIELD_FULL_NAME = 0x00000002,
836 SAMR_FIELD_RID = 0x00000004,
837 SAMR_FIELD_PRIMARY_GID = 0x00000008,
838 SAMR_FIELD_DESCRIPTION = 0x00000010,
839 SAMR_FIELD_COMMENT = 0x00000020,
840 SAMR_FIELD_HOME_DIRECTORY = 0x00000040,
841 SAMR_FIELD_HOME_DRIVE = 0x00000080,
842 SAMR_FIELD_LOGON_SCRIPT = 0x00000100,
843 SAMR_FIELD_PROFILE_PATH = 0x00000200,
844 SAMR_FIELD_WORKSTATIONS = 0x00000400,
845 SAMR_FIELD_LAST_LOGON = 0x00000800,
846 SAMR_FIELD_LAST_LOGOFF = 0x00001000,
847 SAMR_FIELD_LOGON_HOURS = 0x00002000,
848 SAMR_FIELD_BAD_PWD_COUNT = 0x00004000,
849 SAMR_FIELD_NUM_LOGONS = 0x00008000,
850 SAMR_FIELD_ALLOW_PWD_CHANGE = 0x00010000,
851 SAMR_FIELD_FORCE_PWD_CHANGE = 0x00020000,
852 SAMR_FIELD_LAST_PWD_CHANGE = 0x00040000,
853 SAMR_FIELD_ACCT_EXPIRY = 0x00080000,
854 SAMR_FIELD_ACCT_FLAGS = 0x00100000,
855 SAMR_FIELD_PARAMETERS = 0x00200000,
856 SAMR_FIELD_COUNTRY_CODE = 0x00400000,
857 SAMR_FIELD_CODE_PAGE = 0x00800000,
858 SAMR_FIELD_PASSWORD = 0x01000000, /* either of these */
859 SAMR_FIELD_PASSWORD2 = 0x02000000, /* two bits seems to work */
860 SAMR_FIELD_PRIVATE_DATA = 0x04000000,
861 SAMR_FIELD_EXPIRED_FLAG = 0x08000000,
862 SAMR_FIELD_SEC_DESC = 0x10000000,
863 SAMR_FIELD_OWF_PWD = 0x20000000
864 } samr_FieldsPresent;
866 /* used for 'password_expired' in samr_UserInfo21 */
867 const int PASS_MUST_CHANGE_AT_NEXT_LOGON = 0x01;
868 const int PASS_DONT_CHANGE_AT_NEXT_LOGON = 0x00;
873 NTTIME last_password_change;
875 NTTIME allow_password_change;
876 NTTIME force_password_change;
877 lsa_String account_name;
878 lsa_String full_name;
879 lsa_String home_directory;
880 lsa_String home_drive;
881 lsa_String logon_script;
882 lsa_String profile_path;
883 lsa_String description;
884 lsa_String workstations;
886 lsa_BinaryString parameters;
891 [size_is(buf_count)] uint8 *buffer;
894 samr_AcctFlags acct_flags;
895 samr_FieldsPresent fields_present;
896 samr_LogonHours logon_hours;
897 uint16 bad_password_count;
901 uint8 nt_password_set;
902 uint8 lm_password_set;
903 uint8 password_expired;
907 typedef [public, flag(NDR_PAHEX)] struct {
909 } samr_CryptPassword;
912 samr_UserInfo21 info;
913 samr_CryptPassword password;
917 samr_CryptPassword password;
921 typedef [flag(NDR_PAHEX)] struct {
923 } samr_CryptPasswordEx;
926 samr_UserInfo21 info;
927 samr_CryptPasswordEx password;
931 samr_CryptPasswordEx password;
935 typedef [switch_type(uint16)] union {
936 [case(1)] samr_UserInfo1 info1;
937 [case(2)] samr_UserInfo2 info2;
938 [case(3)] samr_UserInfo3 info3;
939 [case(4)] samr_UserInfo4 info4;
940 [case(5)] samr_UserInfo5 info5;
941 [case(6)] samr_UserInfo6 info6;
942 [case(7)] samr_UserInfo7 info7;
943 [case(8)] samr_UserInfo8 info8;
944 [case(9)] samr_UserInfo9 info9;
945 [case(10)] samr_UserInfo10 info10;
946 [case(11)] samr_UserInfo11 info11;
947 [case(12)] samr_UserInfo12 info12;
948 [case(13)] samr_UserInfo13 info13;
949 [case(14)] samr_UserInfo14 info14;
950 [case(16)] samr_UserInfo16 info16;
951 [case(17)] samr_UserInfo17 info17;
952 [case(18)] samr_UserInfo18 info18;
953 [case(20)] samr_UserInfo20 info20;
954 [case(21)] samr_UserInfo21 info21;
955 [case(23)] samr_UserInfo23 info23;
956 [case(24)] samr_UserInfo24 info24;
957 [case(25)] samr_UserInfo25 info25;
958 [case(26)] samr_UserInfo26 info26;
961 [public] NTSTATUS samr_QueryUserInfo(
962 [in,ref] policy_handle *user_handle,
964 [out,ref,switch_is(level)] samr_UserInfo **info
968 /************************/
970 [public] NTSTATUS samr_SetUserInfo(
971 [in,ref] policy_handle *user_handle,
973 [in,ref,switch_is(level)] samr_UserInfo *info
976 /************************/
979 this is a password change interface that doesn't give
980 the server the plaintext password. Depricated.
982 NTSTATUS samr_ChangePasswordUser(
983 [in,ref] policy_handle *user_handle,
984 [in] boolean8 lm_present,
985 [in,unique] samr_Password *old_lm_crypted,
986 [in,unique] samr_Password *new_lm_crypted,
987 [in] boolean8 nt_present,
988 [in,unique] samr_Password *old_nt_crypted,
989 [in,unique] samr_Password *new_nt_crypted,
990 [in] boolean8 cross1_present,
991 [in,unique] samr_Password *nt_cross,
992 [in] boolean8 cross2_present,
993 [in,unique] samr_Password *lm_cross
996 /************************/
999 typedef [public] struct {
1001 samr_GroupAttrs attributes;
1002 } samr_RidWithAttribute;
1004 typedef [public] struct {
1006 [size_is(count)] samr_RidWithAttribute *rids;
1007 } samr_RidWithAttributeArray;
1009 NTSTATUS samr_GetGroupsForUser(
1010 [in,ref] policy_handle *user_handle,
1011 [out,ref] samr_RidWithAttributeArray **rids
1014 /************************/
1020 samr_AcctFlags acct_flags;
1021 lsa_String account_name;
1022 lsa_String description;
1023 lsa_String full_name;
1024 } samr_DispEntryGeneral;
1028 [size_is(count)] samr_DispEntryGeneral *entries;
1029 } samr_DispInfoGeneral;
1034 samr_AcctFlags acct_flags;
1035 lsa_String account_name;
1036 lsa_String description;
1037 } samr_DispEntryFull;
1041 [size_is(count)] samr_DispEntryFull *entries;
1042 } samr_DispInfoFull;
1047 samr_GroupAttrs acct_flags;
1048 lsa_String account_name;
1049 lsa_String description;
1050 } samr_DispEntryFullGroup;
1054 [size_is(count)] samr_DispEntryFullGroup *entries;
1055 } samr_DispInfoFullGroups;
1059 lsa_AsciiStringLarge account_name;
1060 } samr_DispEntryAscii;
1064 [size_is(count)] samr_DispEntryAscii *entries;
1065 } samr_DispInfoAscii;
1067 typedef [switch_type(uint16)] union {
1068 [case(1)] samr_DispInfoGeneral info1;/* users */
1069 [case(2)] samr_DispInfoFull info2; /* trust accounts? */
1070 [case(3)] samr_DispInfoFullGroups info3; /* groups */
1071 [case(4)] samr_DispInfoAscii info4; /* users */
1072 [case(5)] samr_DispInfoAscii info5; /* groups */
1075 NTSTATUS samr_QueryDisplayInfo(
1076 [in,ref] policy_handle *domain_handle,
1078 [in] uint32 start_idx,
1079 [in] uint32 max_entries,
1080 [in] uint32 buf_size,
1081 [out,ref] uint32 *total_size,
1082 [out,ref] uint32 *returned_size,
1083 [out,ref,switch_is(level)] samr_DispInfo *info
1087 /************************/
1091 this seems to be an alphabetic search function. The returned index
1092 is the index for samr_QueryDisplayInfo needed to get names occurring
1093 after the specified name. The supplied name does not need to exist
1094 in the database (for example you can supply just a first letter for
1095 searching starting at that letter)
1097 The level corresponds to the samr_QueryDisplayInfo level
1099 NTSTATUS samr_GetDisplayEnumerationIndex(
1100 [in,ref] policy_handle *domain_handle,
1102 [in,ref] lsa_String *name,
1103 [out,ref] uint32 *idx
1108 /************************/
1112 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1114 NTSTATUS samr_TestPrivateFunctionsDomain(
1115 [in,ref] policy_handle *domain_handle
1119 /************************/
1123 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1125 NTSTATUS samr_TestPrivateFunctionsUser(
1126 [in,ref] policy_handle *user_handle
1130 /************************/
1134 uint16 min_password_length;
1135 samr_PasswordProperties password_properties;
1138 [public] NTSTATUS samr_GetUserPwInfo(
1139 [in,ref] policy_handle *user_handle,
1140 [out,ref] samr_PwInfo *info
1143 /************************/
1145 NTSTATUS samr_RemoveMemberFromForeignDomain(
1146 [in,ref] policy_handle *domain_handle,
1147 [in,ref] dom_sid2 *sid
1150 /************************/
1154 how is this different from QueryDomainInfo ??
1156 NTSTATUS samr_QueryDomainInfo2(
1157 [in,ref] policy_handle *domain_handle,
1159 [out,ref,switch_is(level)] samr_DomainInfo **info
1162 /************************/
1166 how is this different from QueryUserInfo ??
1168 NTSTATUS samr_QueryUserInfo2(
1169 [in,ref] policy_handle *user_handle,
1171 [out,ref,switch_is(level)] samr_UserInfo *info
1174 /************************/
1178 how is this different from QueryDisplayInfo??
1180 NTSTATUS samr_QueryDisplayInfo2(
1181 [in,ref] policy_handle *domain_handle,
1183 [in] uint32 start_idx,
1184 [in] uint32 max_entries,
1185 [in] uint32 buf_size,
1186 [out,ref] uint32 *total_size,
1187 [out,ref] uint32 *returned_size,
1188 [out,ref,switch_is(level)] samr_DispInfo *info
1191 /************************/
1195 how is this different from GetDisplayEnumerationIndex ??
1197 NTSTATUS samr_GetDisplayEnumerationIndex2(
1198 [in,ref] policy_handle *domain_handle,
1200 [in,ref] lsa_String *name,
1201 [out,ref] uint32 *idx
1205 /************************/
1207 NTSTATUS samr_CreateUser2(
1208 [in,ref] policy_handle *domain_handle,
1209 [in,ref] lsa_String *account_name,
1210 [in] samr_AcctFlags acct_flags,
1211 [in] samr_UserAccessMask access_mask,
1212 [out,ref] policy_handle *user_handle,
1213 [out,ref] uint32 *access_granted,
1214 [out,ref] uint32 *rid
1218 /************************/
1222 another duplicate. There must be a reason ....
1224 NTSTATUS samr_QueryDisplayInfo3(
1225 [in,ref] policy_handle *domain_handle,
1227 [in] uint32 start_idx,
1228 [in] uint32 max_entries,
1229 [in] uint32 buf_size,
1230 [out,ref] uint32 *total_size,
1231 [out,ref] uint32 *returned_size,
1232 [out,ref,switch_is(level)] samr_DispInfo *info
1235 /************************/
1237 NTSTATUS samr_AddMultipleMembersToAlias(
1238 [in,ref] policy_handle *alias_handle,
1239 [in,ref] lsa_SidArray *sids
1242 /************************/
1244 NTSTATUS samr_RemoveMultipleMembersFromAlias(
1245 [in,ref] policy_handle *alias_handle,
1246 [in,ref] lsa_SidArray *sids
1249 /************************/
1252 NTSTATUS samr_OemChangePasswordUser2(
1253 [in,unique] lsa_AsciiString *server,
1254 [in,ref] lsa_AsciiString *account,
1255 [in,unique] samr_CryptPassword *password,
1256 [in,unique] samr_Password *hash
1259 /************************/
1261 NTSTATUS samr_ChangePasswordUser2(
1262 [in,unique] lsa_String *server,
1263 [in,ref] lsa_String *account,
1264 [in,unique] samr_CryptPassword *nt_password,
1265 [in,unique] samr_Password *nt_verifier,
1266 [in] boolean8 lm_change,
1267 [in,unique] samr_CryptPassword *lm_password,
1268 [in,unique] samr_Password *lm_verifier
1271 /************************/
1273 NTSTATUS samr_GetDomPwInfo(
1274 [in,unique] lsa_String *domain_name,
1275 [out,ref] samr_PwInfo *info
1278 /************************/
1280 NTSTATUS samr_Connect2(
1281 [in,unique,string,charset(UTF16)] uint16 *system_name,
1282 [in] samr_ConnectAccessMask access_mask,
1283 [out,ref] policy_handle *connect_handle
1286 /************************/
1289 seems to be an exact alias for samr_SetUserInfo()
1291 [public] NTSTATUS samr_SetUserInfo2(
1292 [in,ref] policy_handle *user_handle,
1294 [in,ref,switch_is(level)] samr_UserInfo *info
1297 /************************/
1300 this one is mysterious. I have a few guesses, but nothing working yet
1302 NTSTATUS samr_SetBootKeyInformation(
1303 [in,ref] policy_handle *connect_handle,
1304 [in] uint32 unknown1,
1305 [in] uint32 unknown2,
1306 [in] uint32 unknown3
1309 /************************/
1311 NTSTATUS samr_GetBootKeyInformation(
1312 [in,ref] policy_handle *domain_handle,
1313 [out,ref] uint32 *unknown
1316 /************************/
1318 NTSTATUS samr_Connect3(
1319 [in,unique,string,charset(UTF16)] uint16 *system_name,
1320 /* this unknown value seems to be completely ignored by w2k3 */
1321 [in] uint32 unknown,
1322 [in] samr_ConnectAccessMask access_mask,
1323 [out,ref] policy_handle *connect_handle
1326 /************************/
1330 SAMR_CONNECT_PRE_W2K = 1,
1331 SAMR_CONNECT_W2K = 2,
1332 SAMR_CONNECT_AFTER_W2K = 3
1333 } samr_ConnectVersion;
1335 NTSTATUS samr_Connect4(
1336 [in,unique,string,charset(UTF16)] uint16 *system_name,
1337 [in] samr_ConnectVersion client_version,
1338 [in] samr_ConnectAccessMask access_mask,
1339 [out,ref] policy_handle *connect_handle
1342 /************************/
1345 typedef enum samr_RejectReason samr_RejectReason;
1348 samr_RejectReason reason;
1351 } samr_ChangeReject;
1353 NTSTATUS samr_ChangePasswordUser3(
1354 [in,unique] lsa_String *server,
1355 [in,ref] lsa_String *account,
1356 [in,unique] samr_CryptPassword *nt_password,
1357 [in,unique] samr_Password *nt_verifier,
1358 [in] boolean8 lm_change,
1359 [in,unique] samr_CryptPassword *lm_password,
1360 [in,unique] samr_Password *lm_verifier,
1361 [in,unique] samr_CryptPassword *password3,
1362 [out,ref] samr_DomInfo1 **dominfo,
1363 [out,ref] samr_ChangeReject **reject
1366 /************************/
1370 samr_ConnectVersion client_version; /* w2k3 gives 3 */
1371 uint32 unknown2; /* w2k3 gives 0 */
1372 } samr_ConnectInfo1;
1375 [case(1)] samr_ConnectInfo1 info1;
1378 [public] NTSTATUS samr_Connect5(
1379 [in,unique,string,charset(UTF16)] uint16 *system_name,
1380 [in] samr_ConnectAccessMask access_mask,
1381 [in] uint32 level_in,
1382 [in,ref,switch_is(level_in)] samr_ConnectInfo *info_in,
1383 [out,ref] uint32 *level_out,
1384 [out,ref,switch_is(*level_out)] samr_ConnectInfo *info_out,
1385 [out,ref] policy_handle *connect_handle
1388 /************************/
1390 NTSTATUS samr_RidToSid(
1391 [in,ref] policy_handle *domain_handle,
1393 [out,ref] dom_sid2 *sid
1397 /************************/
1401 this should set the DSRM password for the server, which is used
1402 when booting into Directory Services Recovery Mode on a DC. Win2003
1403 gives me NT_STATUS_NOT_SUPPORTED
1406 NTSTATUS samr_SetDsrmPassword(
1407 [in,unique] lsa_String *name,
1408 [in] uint32 unknown,
1409 [in,unique] samr_Password *hash
1413 /************************/
1415 /************************/
1416 typedef [bitmap32bit] bitmap {
1417 SAMR_VALIDATE_FIELD_PASSWORD_LAST_SET = 0x00000001,
1418 SAMR_VALIDATE_FIELD_BAD_PASSWORD_TIME = 0x00000002,
1419 SAMR_VALIDATE_FIELD_LOCKOUT_TIME = 0x00000004,
1420 SAMR_VALIDATE_FIELD_BAD_PASSWORD_COUNT = 0x00000008,
1421 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY_LENGTH = 0x00000010,
1422 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY = 0x00000020
1423 } samr_ValidateFieldsPresent;
1426 NetValidateAuthentication = 1,
1427 NetValidatePasswordChange= 2,
1428 NetValidatePasswordReset = 3
1429 } samr_ValidatePasswordLevel;
1431 /* NetApi maps samr_ValidationStatus errors to WERRORs. Haven't
1432 * identified the mapping of
1433 * - NERR_PasswordFilterError
1434 * - NERR_PasswordExpired and
1435 * - NERR_PasswordCantChange
1440 SAMR_VALIDATION_STATUS_SUCCESS = 0,
1441 SAMR_VALIDATION_STATUS_PASSWORD_MUST_CHANGE = 1,
1442 SAMR_VALIDATION_STATUS_ACCOUNT_LOCKED_OUT = 2,
1443 SAMR_VALIDATION_STATUS_BAD_PASSWORD = 4,
1444 SAMR_VALIDATION_STATUS_PWD_HISTORY_CONFLICT = 5,
1445 SAMR_VALIDATION_STATUS_PWD_TOO_SHORT = 6,
1446 SAMR_VALIDATION_STATUS_PWD_TOO_LONG = 7,
1447 SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH = 8,
1448 SAMR_VALIDATION_STATUS_PASSWORD_TOO_RECENT = 9
1449 } samr_ValidationStatus;
1453 [size_is(length)] uint8 *data;
1454 } samr_ValidationBlob;
1457 samr_ValidateFieldsPresent fields_present;
1458 NTTIME_hyper last_password_change;
1459 NTTIME_hyper bad_password_time;
1460 NTTIME_hyper lockout_time;
1461 uint32 bad_pwd_count;
1462 uint32 pwd_history_len;
1463 [size_is(pwd_history_len)] samr_ValidationBlob *pwd_history;
1464 } samr_ValidatePasswordInfo;
1467 samr_ValidatePasswordInfo info;
1468 samr_ValidationStatus status;
1469 } samr_ValidatePasswordRepCtr;
1471 typedef [switch_type(uint16)] union {
1472 [case(1)] samr_ValidatePasswordRepCtr ctr1;
1473 [case(2)] samr_ValidatePasswordRepCtr ctr2;
1474 [case(3)] samr_ValidatePasswordRepCtr ctr3;
1475 } samr_ValidatePasswordRep;
1478 samr_ValidatePasswordInfo info;
1479 lsa_StringLarge password;
1480 lsa_StringLarge account;
1481 samr_ValidationBlob hash;
1482 boolean8 pwd_must_change_at_next_logon;
1483 boolean8 clear_lockout;
1484 } samr_ValidatePasswordReq3;
1487 samr_ValidatePasswordInfo info;
1488 lsa_StringLarge password;
1489 lsa_StringLarge account;
1490 samr_ValidationBlob hash;
1491 boolean8 password_matched;
1492 } samr_ValidatePasswordReq2;
1495 samr_ValidatePasswordInfo info;
1496 boolean8 password_matched;
1497 } samr_ValidatePasswordReq1;
1499 typedef [switch_type(uint16)] union {
1500 [case(1)] samr_ValidatePasswordReq1 req1;
1501 [case(2)] samr_ValidatePasswordReq2 req2;
1502 [case(3)] samr_ValidatePasswordReq3 req3;
1503 } samr_ValidatePasswordReq;
1505 NTSTATUS samr_ValidatePassword(
1506 [in] samr_ValidatePasswordLevel level,
1507 [in,switch_is(level)] samr_ValidatePasswordReq req,
1508 [out,ref,switch_is(level)] samr_ValidatePasswordRep *rep
git.samba.org / ira / wip.git / blob