4 samr interface definition
6 import
"misc.idl", "lsa.idl", "security.idl";
9 Thanks to Todd Sabin for some information from his samr.idl in acltools
12 [ uuid("12345778-1234-abcd-ef00-0123456789ac"),
14 endpoint("ncacn_np:[\\pipe\\samr]","ncacn_ip_tcp:", "ncalrpc:"),
15 pointer_default(unique)
18 typedef bitmap security_secinfo security_secinfo
;
20 /* account control (acct_flags) bits */
21 typedef [public,bitmap32bit
] bitmap
{
22 ACB_DISABLED
= 0x00000001, /* 1 = User account disabled */
23 ACB_HOMDIRREQ
= 0x00000002, /* 1 = Home directory required */
24 ACB_PWNOTREQ
= 0x00000004, /* 1 = User password not required */
25 ACB_TEMPDUP
= 0x00000008, /* 1 = Temporary duplicate account */
26 ACB_NORMAL
= 0x00000010, /* 1 = Normal user account */
27 ACB_MNS
= 0x00000020, /* 1 = MNS logon user account */
28 ACB_DOMTRUST
= 0x00000040, /* 1 = Interdomain trust account */
29 ACB_WSTRUST
= 0x00000080, /* 1 = Workstation trust account */
30 ACB_SVRTRUST
= 0x00000100, /* 1 = Server trust account */
31 ACB_PWNOEXP
= 0x00000200, /* 1 = User password does not expire */
32 ACB_AUTOLOCK
= 0x00000400, /* 1 = Account auto locked */
33 ACB_ENC_TXT_PWD_ALLOWED
= 0x00000800, /* 1 = Encryped text password is allowed */
34 ACB_SMARTCARD_REQUIRED
= 0x00001000, /* 1 = Smart Card required */
35 ACB_TRUSTED_FOR_DELEGATION
= 0x00002000, /* 1 = Trusted for Delegation */
36 ACB_NOT_DELEGATED
= 0x00004000, /* 1 = Not delegated */
37 ACB_USE_DES_KEY_ONLY
= 0x00008000, /* 1 = Use DES key only */
38 ACB_DONT_REQUIRE_PREAUTH
= 0x00010000, /* 1 = Preauth not required */
39 ACB_PW_EXPIRED
= 0x00020000, /* 1 = Password Expired */
40 ACB_NO_AUTH_DATA_REQD
= 0x00080000 /* 1 = No authorization data required */
43 typedef [bitmap32bit
] bitmap
{
44 SAMR_ACCESS_CONNECT_TO_SERVER
= 0x00000001,
45 SAMR_ACCESS_SHUTDOWN_SERVER
= 0x00000002,
46 SAMR_ACCESS_INITIALIZE_SERVER
= 0x00000004,
47 SAMR_ACCESS_CREATE_DOMAIN
= 0x00000008,
48 SAMR_ACCESS_ENUM_DOMAINS
= 0x00000010,
49 SAMR_ACCESS_OPEN_DOMAIN
= 0x00000020
50 } samr_ConnectAccessMask
;
52 typedef [bitmap32bit
] bitmap
{
53 SAMR_USER_ACCESS_GET_NAME_ETC
= 0x00000001,
54 SAMR_USER_ACCESS_GET_LOCALE
= 0x00000002,
55 SAMR_USER_ACCESS_SET_LOC_COM
= 0x00000004,
56 SAMR_USER_ACCESS_GET_LOGONINFO
= 0x00000008,
57 SAMR_USER_ACCESS_GET_ATTRIBUTES
= 0x00000010,
58 SAMR_USER_ACCESS_SET_ATTRIBUTES
= 0x00000020,
59 SAMR_USER_ACCESS_CHANGE_PASSWORD
= 0x00000040,
60 SAMR_USER_ACCESS_SET_PASSWORD
= 0x00000080,
61 SAMR_USER_ACCESS_GET_GROUPS
= 0x00000100,
62 SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP
= 0x00000200,
63 SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP
= 0x00000400
64 } samr_UserAccessMask
;
66 typedef [bitmap32bit
] bitmap
{
67 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
= 0x00000001,
68 SAMR_DOMAIN_ACCESS_SET_INFO_1
= 0x00000002,
69 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
= 0x00000004,
70 SAMR_DOMAIN_ACCESS_SET_INFO_2
= 0x00000008,
71 SAMR_DOMAIN_ACCESS_CREATE_USER
= 0x00000010,
72 SAMR_DOMAIN_ACCESS_CREATE_GROUP
= 0x00000020,
73 SAMR_DOMAIN_ACCESS_CREATE_ALIAS
= 0x00000040,
74 SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
= 0x00000080,
75 SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
= 0x00000100,
76 SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
= 0x00000200,
77 SAMR_DOMAIN_ACCESS_SET_INFO_3
= 0x00000400
78 } samr_DomainAccessMask
;
80 typedef [bitmap32bit
] bitmap
{
81 SAMR_GROUP_ACCESS_LOOKUP_INFO
= 0x00000001,
82 SAMR_GROUP_ACCESS_SET_INFO
= 0x00000002,
83 SAMR_GROUP_ACCESS_ADD_MEMBER
= 0x00000004,
84 SAMR_GROUP_ACCESS_REMOVE_MEMBER
= 0x00000008,
85 SAMR_GROUP_ACCESS_GET_MEMBERS
= 0x00000010
86 } samr_GroupAccessMask
;
88 typedef [bitmap32bit
] bitmap
{
89 SAMR_ALIAS_ACCESS_ADD_MEMBER
= 0x00000001,
90 SAMR_ALIAS_ACCESS_REMOVE_MEMBER
= 0x00000002,
91 SAMR_ALIAS_ACCESS_GET_MEMBERS
= 0x00000004,
92 SAMR_ALIAS_ACCESS_LOOKUP_INFO
= 0x00000008,
93 SAMR_ALIAS_ACCESS_SET_INFO
= 0x00000010
94 } samr_AliasAccessMask
;
98 NTSTATUS samr_Connect
(
99 /* notice the lack of [string] */
100 [in,unique] uint16
*system_name
,
101 [in] samr_ConnectAccessMask access_mask
,
102 [out,ref] policy_handle
*connect_handle
108 [public] NTSTATUS samr_Close
(
109 [in,out,ref] policy_handle
*handle
115 NTSTATUS samr_SetSecurity
(
116 [in,ref] policy_handle
*handle,
117 [in] security_secinfo sec_info
,
118 [in,ref] sec_desc_buf
*sdbuf
124 NTSTATUS samr_QuerySecurity
(
125 [in,ref] policy_handle
*handle,
126 [in] security_secinfo sec_info
,
127 [out,ref] sec_desc_buf
**sdbuf
134 shutdown the SAM - once you call this the SAM will be dead
136 NTSTATUS samr_Shutdown
(
137 [in,ref] policy_handle
*connect_handle
142 NTSTATUS samr_LookupDomain
(
143 [in,ref] policy_handle
*connect_handle
,
144 [in,ref] lsa_String
*domain_name
,
145 [out,ref] dom_sid2
**sid
159 [size_is(count
)] samr_SamEntry
*entries
;
162 NTSTATUS samr_EnumDomains
(
163 [in] policy_handle
*connect_handle
,
164 [in,out,ref] uint32
*resume_handle
,
165 [out,ref] samr_SamArray
**sam
,
166 [in] uint32 buf_size
,
167 [out,ref] uint32
*num_entries
171 /************************/
173 [public] NTSTATUS samr_OpenDomain
(
174 [in,ref] policy_handle
*connect_handle
,
175 [in] samr_DomainAccessMask access_mask
,
176 [in,ref] dom_sid2
*sid
,
177 [out,ref] policy_handle
*domain_handle
180 /************************/
183 typedef [v1_enum] enum {
184 SAMR_ROLE_STANDALONE
= 0,
185 SAMR_ROLE_DOMAIN_MEMBER
= 1,
186 SAMR_ROLE_DOMAIN_BDC
= 2,
187 SAMR_ROLE_DOMAIN_PDC
= 3
190 /* password properties flags */
191 typedef [public,bitmap32bit
] bitmap
{
192 DOMAIN_PASSWORD_COMPLEX
= 0x00000001,
193 DOMAIN_PASSWORD_NO_ANON_CHANGE
= 0x00000002,
194 DOMAIN_PASSWORD_NO_CLEAR_CHANGE
= 0x00000004,
195 DOMAIN_PASSWORD_LOCKOUT_ADMINS
= 0x00000008,
196 DOMAIN_PASSWORD_STORE_CLEARTEXT
= 0x00000010,
197 DOMAIN_REFUSE_PASSWORD_CHANGE
= 0x00000020
198 } samr_PasswordProperties
;
201 uint16 min_password_length
;
202 uint16 password_history_length
;
203 samr_PasswordProperties password_properties
;
204 /* yes, these are signed. They are in negative 100ns */
205 dlong max_password_age
;
206 dlong min_password_age
;
210 NTTIME force_logoff_time
;
212 lsa_String domain_name
;
213 lsa_String primary
; /* PDC name if this is a BDC */
224 NTTIME force_logoff_time
;
232 lsa_String domain_name
;
245 NTTIME domain_create_time
;
249 uint32 unknown
; /* w2k3 returns 1 */
254 hyper lockout_duration
;
255 hyper lockout_window
;
256 uint16 lockout_threshold
;
260 hyper lockout_duration
;
261 hyper lockout_window
;
262 uint16 lockout_threshold
;
267 NTTIME domain_create_time
;
272 typedef [switch_type(uint16
)] union {
273 [case(1)] samr_DomInfo1 info1
;
274 [case(2)] samr_DomInfo2 info2
;
275 [case(3)] samr_DomInfo3 info3
;
276 [case(4)] samr_DomInfo4 info4
;
277 [case(5)] samr_DomInfo5 info5
;
278 [case(6)] samr_DomInfo6 info6
;
279 [case(7)] samr_DomInfo7 info7
;
280 [case(8)] samr_DomInfo8 info8
;
281 [case(9)] samr_DomInfo9 info9
;
282 [case(11)] samr_DomInfo11 info11
;
283 [case(12)] samr_DomInfo12 info12
;
284 [case(13)] samr_DomInfo13 info13
;
287 NTSTATUS samr_QueryDomainInfo
(
288 [in,ref] policy_handle
*domain_handle
,
290 [out,ref,switch_is(level
)] samr_DomainInfo
**info
293 /************************/
296 only levels 1, 3, 4, 6, 7, 9, 12 are valid for this
299 NTSTATUS samr_SetDomainInfo
(
300 [in,ref] policy_handle
*domain_handle
,
302 [in,switch_is(level
),ref] samr_DomainInfo
*info
306 /************************/
308 NTSTATUS samr_CreateDomainGroup
(
309 [in,ref] policy_handle
*domain_handle
,
310 [in,ref] lsa_String
*name
,
311 [in] samr_GroupAccessMask access_mask
,
312 [out,ref] policy_handle
*group_handle
,
313 [out,ref] uint32
*rid
317 /************************/
320 const int MAX_SAM_ENTRIES_W2K
= 0x400; /* 1024 */
321 const int MAX_SAM_ENTRIES_W95
= 50;
323 NTSTATUS samr_EnumDomainGroups
(
324 [in] policy_handle
*domain_handle
,
325 [in,out,ref] uint32
*resume_handle
,
326 [out,ref] samr_SamArray
**sam
,
327 [in] uint32 max_size
,
328 [out,ref] uint32
*num_entries
331 /************************/
333 NTSTATUS samr_CreateUser
(
334 [in,ref] policy_handle
*domain_handle
,
335 [in,ref] lsa_String
*account_name
,
336 [in] samr_UserAccessMask access_mask
,
337 [out,ref] policy_handle
*user_handle
,
338 [out,ref] uint32
*rid
341 /************************/
345 /* w2k3 treats max_size as max_users*54 and sets the
346 resume_handle as the rid of the last user sent
348 const int SAMR_ENUM_USERS_MULTIPLIER
= 54;
350 NTSTATUS samr_EnumDomainUsers
(
351 [in] policy_handle
*domain_handle
,
352 [in,out,ref] uint32
*resume_handle
,
353 [in] samr_AcctFlags acct_flags
,
354 [out,ref] samr_SamArray
**sam
,
355 [in] uint32 max_size
,
356 [out,ref] uint32
*num_entries
359 /************************/
361 NTSTATUS samr_CreateDomAlias
(
362 [in,ref] policy_handle
*domain_handle
,
363 [in,ref] lsa_String
*alias_name
,
364 [in] samr_AliasAccessMask access_mask
,
365 [out,ref] policy_handle
*alias_handle
,
366 [out,ref] uint32
*rid
369 /************************/
371 NTSTATUS samr_EnumDomainAliases
(
372 [in] policy_handle
*domain_handle
,
373 [in,out,ref] uint32
*resume_handle
,
374 [out,ref] samr_SamArray
**sam
,
375 [in] uint32 max_size
,
376 [out,ref] uint32
*num_entries
379 /************************/
383 [range(0,1024)] uint32 count
;
384 [size_is(count
)] uint32
*ids
;
387 NTSTATUS samr_GetAliasMembership
(
388 [in,ref] policy_handle
*domain_handle
,
389 [in,ref] lsa_SidArray
*sids
,
390 [out,ref] samr_Ids
*rids
393 /************************/
396 [public] NTSTATUS samr_LookupNames
(
397 [in,ref] policy_handle
*domain_handle
,
398 [in,range(0,1000)] uint32 num_names
,
399 [in,size_is(1000),length_is(num_names
)] lsa_String names
[],
400 [out,ref] samr_Ids
*rids
,
401 [out,ref] samr_Ids
*types
405 /************************/
407 NTSTATUS samr_LookupRids
(
408 [in,ref] policy_handle
*domain_handle
,
409 [in,range(0,1000)] uint32 num_rids
,
410 [in,size_is(1000),length_is(num_rids
)] uint32 rids
[],
411 [out,ref] lsa_Strings
*names
,
412 [out,ref] samr_Ids
*types
415 /************************/
417 NTSTATUS samr_OpenGroup
(
418 [in,ref] policy_handle
*domain_handle
,
419 [in] samr_GroupAccessMask access_mask
,
421 [out,ref] policy_handle
*group_handle
424 /* Group attributes */
425 typedef [public,bitmap32bit
] bitmap
{
426 SE_GROUP_MANDATORY
= 0x00000001,
427 SE_GROUP_ENABLED_BY_DEFAULT
= 0x00000002,
428 SE_GROUP_ENABLED
= 0x00000004,
429 SE_GROUP_OWNER
= 0x00000008,
430 SE_GROUP_USE_FOR_DENY_ONLY
= 0x00000010,
431 SE_GROUP_RESOURCE
= 0x20000000,
432 SE_GROUP_LOGON_ID
= 0xC0000000
435 /************************/
440 samr_GroupAttrs attributes
;
442 lsa_String description
;
446 samr_GroupAttrs attributes
;
447 } samr_GroupInfoAttributes
;
450 lsa_String description
;
451 } samr_GroupInfoDescription
;
456 GROUPINFOATTRIBUTES
= 3,
457 GROUPINFODESCRIPTION
= 4,
459 } samr_GroupInfoEnum
;
461 typedef [switch_type(samr_GroupInfoEnum
)] union {
462 [case(GROUPINFOALL
)] samr_GroupInfoAll all
;
463 [case(GROUPINFONAME
)] lsa_String name
;
464 [case(GROUPINFOATTRIBUTES
)] samr_GroupInfoAttributes attributes
;
465 [case(GROUPINFODESCRIPTION
)] lsa_String description
;
466 [case(GROUPINFOALL2
)] samr_GroupInfoAll all2
;
469 NTSTATUS samr_QueryGroupInfo
(
470 [in,ref] policy_handle
*group_handle
,
471 [in] samr_GroupInfoEnum level
,
472 [out,ref,switch_is(level
)] samr_GroupInfo
**info
475 /************************/
477 NTSTATUS samr_SetGroupInfo
(
478 [in,ref] policy_handle
*group_handle
,
479 [in] samr_GroupInfoEnum level
,
480 [in,switch_is(level
),ref] samr_GroupInfo
*info
483 /************************/
485 NTSTATUS samr_AddGroupMember
(
486 [in,ref] policy_handle
*group_handle
,
491 /************************/
493 NTSTATUS samr_DeleteDomainGroup
(
494 [in,out,ref] policy_handle
*group_handle
497 /************************/
499 NTSTATUS samr_DeleteGroupMember
(
500 [in,ref] policy_handle
*group_handle
,
505 /************************/
509 [size_is(count
)] uint32
*rids
;
510 [size_is(count
)] uint32
*types
;
513 NTSTATUS samr_QueryGroupMember
(
514 [in,ref] policy_handle
*group_handle
,
515 [out,ref] samr_RidTypeArray
**rids
519 /************************/
523 win2003 seems to accept any data at all for the two integers
524 below, and doesn't seem to do anything with them that I can
525 see. Weird. I really expected the first integer to be a rid
526 and the second to be the attributes for that rid member.
528 NTSTATUS samr_SetMemberAttributesOfGroup
(
529 [in,ref] policy_handle
*group_handle
,
530 [in] uint32 unknown1
,
535 /************************/
537 NTSTATUS samr_OpenAlias
(
538 [in,ref] policy_handle
*domain_handle
,
539 [in] samr_AliasAccessMask access_mask
,
541 [out,ref] policy_handle
*alias_handle
545 /************************/
551 lsa_String description
;
557 ALIASINFODESCRIPTION
= 3
558 } samr_AliasInfoEnum
;
560 typedef [switch_type(samr_AliasInfoEnum
)] union {
561 [case(ALIASINFOALL
)] samr_AliasInfoAll all
;
562 [case(ALIASINFONAME
)] lsa_String name
;
563 [case(ALIASINFODESCRIPTION
)] lsa_String description
;
566 NTSTATUS samr_QueryAliasInfo
(
567 [in,ref] policy_handle
*alias_handle
,
568 [in] samr_AliasInfoEnum level
,
569 [out,ref,switch_is(level
)] samr_AliasInfo
**info
572 /************************/
574 NTSTATUS samr_SetAliasInfo
(
575 [in,ref] policy_handle
*alias_handle
,
576 [in] samr_AliasInfoEnum level
,
577 [in,switch_is(level
),ref] samr_AliasInfo
*info
580 /************************/
582 NTSTATUS samr_DeleteDomAlias
(
583 [in,out,ref] policy_handle
*alias_handle
586 /************************/
588 NTSTATUS samr_AddAliasMember
(
589 [in,ref] policy_handle
*alias_handle
,
590 [in,ref] dom_sid2
*sid
593 /************************/
595 NTSTATUS samr_DeleteAliasMember
(
596 [in,ref] policy_handle
*alias_handle
,
597 [in,ref] dom_sid2
*sid
600 /************************/
602 NTSTATUS samr_GetMembersInAlias
(
603 [in,ref] policy_handle
*alias_handle
,
604 [out,ref] lsa_SidArray
*sids
607 /************************/
609 [public] NTSTATUS samr_OpenUser
(
610 [in,ref] policy_handle
*domain_handle
,
611 [in] samr_UserAccessMask access_mask
,
613 [out,ref] policy_handle
*user_handle
616 /************************/
618 NTSTATUS samr_DeleteUser
(
619 [in,out,ref] policy_handle
*user_handle
622 /************************/
625 lsa_String account_name
;
626 lsa_String full_name
;
628 lsa_String description
;
634 lsa_String unknown
; /* settable, but doesn't stick. probably obsolete */
639 /* this is also used in samr and netlogon */
640 typedef [public, flag
(NDR_PAHEX
)] struct {
641 uint16 units_per_week
;
642 [size_is(1260), length_is(units_per_week
/8)] uint8
*bits
;
646 lsa_String account_name
;
647 lsa_String full_name
;
650 lsa_String home_directory
;
651 lsa_String home_drive
;
652 lsa_String logon_script
;
653 lsa_String profile_path
;
654 lsa_String workstations
;
657 NTTIME last_password_change
;
658 NTTIME allow_password_change
;
659 NTTIME force_password_change
;
660 samr_LogonHours logon_hours
;
661 uint16 bad_password_count
;
663 samr_AcctFlags acct_flags
;
667 samr_LogonHours logon_hours
;
671 lsa_String account_name
;
672 lsa_String full_name
;
675 lsa_String home_directory
;
676 lsa_String home_drive
;
677 lsa_String logon_script
;
678 lsa_String profile_path
;
679 lsa_String description
;
680 lsa_String workstations
;
683 samr_LogonHours logon_hours
;
684 uint16 bad_password_count
;
686 NTTIME last_password_change
;
688 samr_AcctFlags acct_flags
;
692 lsa_String account_name
;
693 lsa_String full_name
;
697 lsa_String account_name
;
701 lsa_String full_name
;
709 lsa_String home_directory
;
710 lsa_String home_drive
;
714 lsa_String logon_script
;
718 lsa_String profile_path
;
722 lsa_String description
;
726 lsa_String workstations
;
730 samr_AcctFlags acct_flags
;
737 typedef [public, flag
(NDR_PAHEX
)] struct {
742 samr_Password lm_pwd
;
743 samr_Password nt_pwd
;
744 boolean8 lm_pwd_active
;
745 boolean8 nt_pwd_active
;
749 lsa_BinaryString parameters
;
752 /* this defines the bits used for fields_present in info21 */
753 typedef [bitmap32bit
] bitmap
{
754 SAMR_FIELD_ACCOUNT_NAME
= 0x00000001,
755 SAMR_FIELD_FULL_NAME
= 0x00000002,
756 SAMR_FIELD_RID
= 0x00000004,
757 SAMR_FIELD_PRIMARY_GID
= 0x00000008,
758 SAMR_FIELD_DESCRIPTION
= 0x00000010,
759 SAMR_FIELD_COMMENT
= 0x00000020,
760 SAMR_FIELD_HOME_DIRECTORY
= 0x00000040,
761 SAMR_FIELD_HOME_DRIVE
= 0x00000080,
762 SAMR_FIELD_LOGON_SCRIPT
= 0x00000100,
763 SAMR_FIELD_PROFILE_PATH
= 0x00000200,
764 SAMR_FIELD_WORKSTATIONS
= 0x00000400,
765 SAMR_FIELD_LAST_LOGON
= 0x00000800,
766 SAMR_FIELD_LAST_LOGOFF
= 0x00001000,
767 SAMR_FIELD_LOGON_HOURS
= 0x00002000,
768 SAMR_FIELD_BAD_PWD_COUNT
= 0x00004000,
769 SAMR_FIELD_NUM_LOGONS
= 0x00008000,
770 SAMR_FIELD_ALLOW_PWD_CHANGE
= 0x00010000,
771 SAMR_FIELD_FORCE_PWD_CHANGE
= 0x00020000,
772 SAMR_FIELD_LAST_PWD_CHANGE
= 0x00040000,
773 SAMR_FIELD_ACCT_EXPIRY
= 0x00080000,
774 SAMR_FIELD_ACCT_FLAGS
= 0x00100000,
775 SAMR_FIELD_PARAMETERS
= 0x00200000,
776 SAMR_FIELD_COUNTRY_CODE
= 0x00400000,
777 SAMR_FIELD_CODE_PAGE
= 0x00800000,
778 SAMR_FIELD_PASSWORD
= 0x01000000, /* either of these */
779 SAMR_FIELD_PASSWORD2
= 0x02000000, /* two bits seems to work */
780 SAMR_FIELD_PRIVATE_DATA
= 0x04000000,
781 SAMR_FIELD_EXPIRED_FLAG
= 0x08000000,
782 SAMR_FIELD_SEC_DESC
= 0x10000000,
783 SAMR_FIELD_OWF_PWD
= 0x20000000
784 } samr_FieldsPresent
;
786 /* used for 'password_expired' in samr_UserInfo21 */
787 const int PASS_MUST_CHANGE_AT_NEXT_LOGON
= 0x01;
788 const int PASS_DONT_CHANGE_AT_NEXT_LOGON
= 0x00;
793 NTTIME last_password_change
;
795 NTTIME allow_password_change
;
796 NTTIME force_password_change
;
797 lsa_String account_name
;
798 lsa_String full_name
;
799 lsa_String home_directory
;
800 lsa_String home_drive
;
801 lsa_String logon_script
;
802 lsa_String profile_path
;
803 lsa_String description
;
804 lsa_String workstations
;
806 lsa_BinaryString parameters
;
811 [size_is(buf_count
)] uint8
*buffer
;
814 samr_AcctFlags acct_flags
;
815 samr_FieldsPresent fields_present
;
816 samr_LogonHours logon_hours
;
817 uint16 bad_password_count
;
821 uint8 nt_password_set
;
822 uint8 lm_password_set
;
823 uint8 password_expired
;
827 typedef [public, flag
(NDR_PAHEX
)] struct {
829 } samr_CryptPassword
;
832 samr_UserInfo21 info
;
833 samr_CryptPassword password
;
837 samr_CryptPassword password
;
838 uint8 password_expired
;
841 typedef [flag
(NDR_PAHEX
)] struct {
843 } samr_CryptPasswordEx
;
846 samr_UserInfo21 info
;
847 samr_CryptPasswordEx password
;
851 samr_CryptPasswordEx password
;
852 uint8 password_expired
;
855 typedef [switch_type(uint16
)] union {
856 [case(1)] samr_UserInfo1 info1
;
857 [case(2)] samr_UserInfo2 info2
;
858 [case(3)] samr_UserInfo3 info3
;
859 [case(4)] samr_UserInfo4 info4
;
860 [case(5)] samr_UserInfo5 info5
;
861 [case(6)] samr_UserInfo6 info6
;
862 [case(7)] samr_UserInfo7 info7
;
863 [case(8)] samr_UserInfo8 info8
;
864 [case(9)] samr_UserInfo9 info9
;
865 [case(10)] samr_UserInfo10 info10
;
866 [case(11)] samr_UserInfo11 info11
;
867 [case(12)] samr_UserInfo12 info12
;
868 [case(13)] samr_UserInfo13 info13
;
869 [case(14)] samr_UserInfo14 info14
;
870 [case(16)] samr_UserInfo16 info16
;
871 [case(17)] samr_UserInfo17 info17
;
872 [case(18)] samr_UserInfo18 info18
;
873 [case(20)] samr_UserInfo20 info20
;
874 [case(21)] samr_UserInfo21 info21
;
875 [case(23)] samr_UserInfo23 info23
;
876 [case(24)] samr_UserInfo24 info24
;
877 [case(25)] samr_UserInfo25 info25
;
878 [case(26)] samr_UserInfo26 info26
;
881 [public] NTSTATUS samr_QueryUserInfo
(
882 [in,ref] policy_handle
*user_handle
,
884 [out,ref,switch_is(level
)] samr_UserInfo
**info
888 /************************/
890 [public] NTSTATUS samr_SetUserInfo
(
891 [in,ref] policy_handle
*user_handle
,
893 [in,ref,switch_is(level
)] samr_UserInfo
*info
896 /************************/
899 this is a password change interface that doesn't give
900 the server the plaintext password. Depricated.
902 NTSTATUS samr_ChangePasswordUser
(
903 [in,ref] policy_handle
*user_handle
,
904 [in] boolean8 lm_present
,
905 [in,unique] samr_Password
*old_lm_crypted
,
906 [in,unique] samr_Password
*new_lm_crypted
,
907 [in] boolean8 nt_present
,
908 [in,unique] samr_Password
*old_nt_crypted
,
909 [in,unique] samr_Password
*new_nt_crypted
,
910 [in] boolean8 cross1_present
,
911 [in,unique] samr_Password
*nt_cross
,
912 [in] boolean8 cross2_present
,
913 [in,unique] samr_Password
*lm_cross
916 /************************/
919 typedef [public] struct {
921 samr_GroupAttrs attributes
;
922 } samr_RidWithAttribute
;
924 typedef [public] struct {
926 [size_is(count
)] samr_RidWithAttribute
*rids
;
927 } samr_RidWithAttributeArray
;
929 NTSTATUS samr_GetGroupsForUser
(
930 [in,ref] policy_handle
*user_handle
,
931 [out,ref] samr_RidWithAttributeArray
**rids
934 /************************/
940 samr_AcctFlags acct_flags
;
941 lsa_String account_name
;
942 lsa_String description
;
943 lsa_String full_name
;
944 } samr_DispEntryGeneral
;
948 [size_is(count
)] samr_DispEntryGeneral
*entries
;
949 } samr_DispInfoGeneral
;
954 samr_AcctFlags acct_flags
;
955 lsa_String account_name
;
956 lsa_String description
;
957 } samr_DispEntryFull
;
961 [size_is(count
)] samr_DispEntryFull
*entries
;
967 samr_GroupAttrs acct_flags
;
968 lsa_String account_name
;
969 lsa_String description
;
970 } samr_DispEntryFullGroup
;
974 [size_is(count
)] samr_DispEntryFullGroup
*entries
;
975 } samr_DispInfoFullGroups
;
979 lsa_AsciiStringLarge account_name
;
980 } samr_DispEntryAscii
;
984 [size_is(count
)] samr_DispEntryAscii
*entries
;
985 } samr_DispInfoAscii
;
987 typedef [switch_type(uint16
)] union {
988 [case(1)] samr_DispInfoGeneral info1
;/* users */
989 [case(2)] samr_DispInfoFull info2
; /* trust accounts? */
990 [case(3)] samr_DispInfoFullGroups info3
; /* groups */
991 [case(4)] samr_DispInfoAscii info4
; /* users */
992 [case(5)] samr_DispInfoAscii info5
; /* groups */
995 NTSTATUS samr_QueryDisplayInfo
(
996 [in,ref] policy_handle
*domain_handle
,
998 [in] uint32 start_idx
,
999 [in] uint32 max_entries
,
1000 [in] uint32 buf_size
,
1001 [out,ref] uint32
*total_size
,
1002 [out,ref] uint32
*returned_size
,
1003 [out,ref,switch_is(level
)] samr_DispInfo
*info
1007 /************************/
1011 this seems to be an alphabetic search function. The returned index
1012 is the index for samr_QueryDisplayInfo needed to get names occurring
1013 after the specified name. The supplied name does not need to exist
1014 in the database (for example you can supply just a first letter for
1015 searching starting at that letter)
1017 The level corresponds to the samr_QueryDisplayInfo level
1019 NTSTATUS samr_GetDisplayEnumerationIndex
(
1020 [in,ref] policy_handle
*domain_handle
,
1022 [in,ref] lsa_String
*name
,
1023 [out,ref] uint32
*idx
1028 /************************/
1032 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1034 NTSTATUS samr_TestPrivateFunctionsDomain
(
1035 [in,ref] policy_handle
*domain_handle
1039 /************************/
1043 w2k3 returns NT_STATUS_NOT_IMPLEMENTED for this
1045 NTSTATUS samr_TestPrivateFunctionsUser
(
1046 [in,ref] policy_handle
*user_handle
1050 /************************/
1054 uint16 min_password_length
;
1055 samr_PasswordProperties password_properties
;
1058 [public] NTSTATUS samr_GetUserPwInfo
(
1059 [in,ref] policy_handle
*user_handle
,
1060 [out,ref] samr_PwInfo
*info
1063 /************************/
1065 NTSTATUS samr_RemoveMemberFromForeignDomain
(
1066 [in,ref] policy_handle
*domain_handle
,
1067 [in,ref] dom_sid2
*sid
1070 /************************/
1074 how is this different from QueryDomainInfo ??
1076 NTSTATUS samr_QueryDomainInfo2
(
1077 [in,ref] policy_handle
*domain_handle
,
1079 [out,ref,switch_is(level
)] samr_DomainInfo
**info
1082 /************************/
1086 how is this different from QueryUserInfo ??
1088 NTSTATUS samr_QueryUserInfo2
(
1089 [in,ref] policy_handle
*user_handle
,
1091 [out,ref,switch_is(level
)] samr_UserInfo
*info
1094 /************************/
1098 how is this different from QueryDisplayInfo??
1100 NTSTATUS samr_QueryDisplayInfo2
(
1101 [in,ref] policy_handle
*domain_handle
,
1103 [in] uint32 start_idx
,
1104 [in] uint32 max_entries
,
1105 [in] uint32 buf_size
,
1106 [out,ref] uint32
*total_size
,
1107 [out,ref] uint32
*returned_size
,
1108 [out,ref,switch_is(level
)] samr_DispInfo
*info
1111 /************************/
1115 how is this different from GetDisplayEnumerationIndex ??
1117 NTSTATUS samr_GetDisplayEnumerationIndex2
(
1118 [in,ref] policy_handle
*domain_handle
,
1120 [in,ref] lsa_String
*name
,
1121 [out,ref] uint32
*idx
1125 /************************/
1127 NTSTATUS samr_CreateUser2
(
1128 [in,ref] policy_handle
*domain_handle
,
1129 [in,ref] lsa_String
*account_name
,
1130 [in] samr_AcctFlags acct_flags
,
1131 [in] samr_UserAccessMask access_mask
,
1132 [out,ref] policy_handle
*user_handle
,
1133 [out,ref] uint32
*access_granted
,
1134 [out,ref] uint32
*rid
1138 /************************/
1142 another duplicate. There must be a reason ....
1144 NTSTATUS samr_QueryDisplayInfo3
(
1145 [in,ref] policy_handle
*domain_handle
,
1147 [in] uint32 start_idx
,
1148 [in] uint32 max_entries
,
1149 [in] uint32 buf_size
,
1150 [out,ref] uint32
*total_size
,
1151 [out,ref] uint32
*returned_size
,
1152 [out,ref,switch_is(level
)] samr_DispInfo
*info
1155 /************************/
1157 NTSTATUS samr_AddMultipleMembersToAlias
(
1158 [in,ref] policy_handle
*alias_handle
,
1159 [in,ref] lsa_SidArray
*sids
1162 /************************/
1164 NTSTATUS samr_RemoveMultipleMembersFromAlias
(
1165 [in,ref] policy_handle
*alias_handle
,
1166 [in,ref] lsa_SidArray
*sids
1169 /************************/
1172 NTSTATUS samr_OemChangePasswordUser2
(
1173 [in,unique] lsa_AsciiString
*server
,
1174 [in,ref] lsa_AsciiString
*account
,
1175 [in,unique] samr_CryptPassword
*password
,
1176 [in,unique] samr_Password
*hash
1179 /************************/
1181 NTSTATUS samr_ChangePasswordUser2
(
1182 [in,unique] lsa_String
*server
,
1183 [in,ref] lsa_String
*account
,
1184 [in,unique] samr_CryptPassword
*nt_password
,
1185 [in,unique] samr_Password
*nt_verifier
,
1186 [in] boolean8 lm_change
,
1187 [in,unique] samr_CryptPassword
*lm_password
,
1188 [in,unique] samr_Password
*lm_verifier
1191 /************************/
1193 NTSTATUS samr_GetDomPwInfo
(
1194 [in,unique] lsa_String
*domain_name
,
1195 [out,ref] samr_PwInfo
*info
1198 /************************/
1200 NTSTATUS samr_Connect2
(
1201 [in,unique,string,charset
(UTF16
)] uint16
*system_name
,
1202 [in] samr_ConnectAccessMask access_mask
,
1203 [out,ref] policy_handle
*connect_handle
1206 /************************/
1209 seems to be an exact alias for samr_SetUserInfo()
1211 [public] NTSTATUS samr_SetUserInfo2
(
1212 [in,ref] policy_handle
*user_handle
,
1214 [in,ref,switch_is(level
)] samr_UserInfo
*info
1217 /************************/
1220 this one is mysterious. I have a few guesses, but nothing working yet
1222 NTSTATUS samr_SetBootKeyInformation
(
1223 [in,ref] policy_handle
*connect_handle
,
1224 [in] uint32 unknown1
,
1225 [in] uint32 unknown2
,
1226 [in] uint32 unknown3
1229 /************************/
1231 NTSTATUS samr_GetBootKeyInformation
(
1232 [in,ref] policy_handle
*domain_handle
,
1233 [out,ref] uint32
*unknown
1236 /************************/
1238 NTSTATUS samr_Connect3
(
1239 [in,unique,string,charset
(UTF16
)] uint16
*system_name
,
1240 /* this unknown value seems to be completely ignored by w2k3 */
1241 [in] uint32 unknown
,
1242 [in] samr_ConnectAccessMask access_mask
,
1243 [out,ref] policy_handle
*connect_handle
1246 /************************/
1250 SAMR_CONNECT_PRE_W2K
= 1,
1251 SAMR_CONNECT_W2K
= 2,
1252 SAMR_CONNECT_AFTER_W2K
= 3
1253 } samr_ConnectVersion
;
1255 NTSTATUS samr_Connect4
(
1256 [in,unique,string,charset
(UTF16
)] uint16
*system_name
,
1257 [in] samr_ConnectVersion client_version
,
1258 [in] samr_ConnectAccessMask access_mask
,
1259 [out,ref] policy_handle
*connect_handle
1262 /************************/
1265 typedef enum samr_RejectReason samr_RejectReason
;
1268 samr_RejectReason reason
;
1271 } samr_ChangeReject
;
1273 NTSTATUS samr_ChangePasswordUser3
(
1274 [in,unique] lsa_String
*server
,
1275 [in,ref] lsa_String
*account
,
1276 [in,unique] samr_CryptPassword
*nt_password
,
1277 [in,unique] samr_Password
*nt_verifier
,
1278 [in] boolean8 lm_change
,
1279 [in,unique] samr_CryptPassword
*lm_password
,
1280 [in,unique] samr_Password
*lm_verifier
,
1281 [in,unique] samr_CryptPassword
*password3
,
1282 [out,ref] samr_DomInfo1
**dominfo
,
1283 [out,ref] samr_ChangeReject
**reject
1286 /************************/
1290 samr_ConnectVersion client_version
; /* w2k3 gives 3 */
1291 uint32 unknown2
; /* w2k3 gives 0 */
1292 } samr_ConnectInfo1
;
1295 [case(1)] samr_ConnectInfo1 info1
;
1298 [public] NTSTATUS samr_Connect5
(
1299 [in,unique,string,charset
(UTF16
)] uint16
*system_name
,
1300 [in] samr_ConnectAccessMask access_mask
,
1301 [in] uint32 level_in
,
1302 [in,ref,switch_is(level_in
)] samr_ConnectInfo
*info_in
,
1303 [out,ref] uint32
*level_out
,
1304 [out,ref,switch_is(*level_out
)] samr_ConnectInfo
*info_out
,
1305 [out,ref] policy_handle
*connect_handle
1308 /************************/
1310 NTSTATUS samr_RidToSid
(
1311 [in,ref] policy_handle
*domain_handle
,
1313 [out,ref] dom_sid2
*sid
1317 /************************/
1321 this should set the DSRM password for the server, which is used
1322 when booting into Directory Services Recovery Mode on a DC. Win2003
1323 gives me NT_STATUS_NOT_SUPPORTED
1326 NTSTATUS samr_SetDsrmPassword
(
1327 [in,unique] lsa_String
*name
,
1328 [in] uint32 unknown
,
1329 [in,unique] samr_Password
*hash
1333 /************************/
1335 /************************/
1336 typedef [bitmap32bit
] bitmap
{
1337 SAMR_VALIDATE_FIELD_PASSWORD_LAST_SET
= 0x00000001,
1338 SAMR_VALIDATE_FIELD_BAD_PASSWORD_TIME
= 0x00000002,
1339 SAMR_VALIDATE_FIELD_LOCKOUT_TIME
= 0x00000004,
1340 SAMR_VALIDATE_FIELD_BAD_PASSWORD_COUNT
= 0x00000008,
1341 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY_LENGTH
= 0x00000010,
1342 SAMR_VALIDATE_FIELD_PASSWORD_HISTORY
= 0x00000020
1343 } samr_ValidateFieldsPresent
;
1346 NetValidateAuthentication
= 1,
1347 NetValidatePasswordChange
= 2,
1348 NetValidatePasswordReset
= 3
1349 } samr_ValidatePasswordLevel
;
1351 /* NetApi maps samr_ValidationStatus errors to WERRORs. Haven't
1352 * identified the mapping of
1353 * - NERR_PasswordFilterError
1354 * - NERR_PasswordExpired and
1355 * - NERR_PasswordCantChange
1360 SAMR_VALIDATION_STATUS_SUCCESS
= 0,
1361 SAMR_VALIDATION_STATUS_PASSWORD_MUST_CHANGE
= 1,
1362 SAMR_VALIDATION_STATUS_ACCOUNT_LOCKED_OUT
= 2,
1363 SAMR_VALIDATION_STATUS_BAD_PASSWORD
= 4,
1364 SAMR_VALIDATION_STATUS_PWD_HISTORY_CONFLICT
= 5,
1365 SAMR_VALIDATION_STATUS_PWD_TOO_SHORT
= 6,
1366 SAMR_VALIDATION_STATUS_PWD_TOO_LONG
= 7,
1367 SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH
= 8,
1368 SAMR_VALIDATION_STATUS_PASSWORD_TOO_RECENT
= 9
1369 } samr_ValidationStatus
;
1373 [size_is(length
)] uint8
*data
;
1374 } samr_ValidationBlob
;
1377 samr_ValidateFieldsPresent fields_present
;
1378 NTTIME_hyper last_password_change
;
1379 NTTIME_hyper bad_password_time
;
1380 NTTIME_hyper lockout_time
;
1381 uint32 bad_pwd_count
;
1382 uint32 pwd_history_len
;
1383 [size_is(pwd_history_len
)] samr_ValidationBlob
*pwd_history
;
1384 } samr_ValidatePasswordInfo
;
1387 samr_ValidatePasswordInfo info
;
1388 samr_ValidationStatus status
;
1389 } samr_ValidatePasswordRepCtr
;
1391 typedef [switch_type(uint16
)] union {
1392 [case(1)] samr_ValidatePasswordRepCtr ctr1
;
1393 [case(2)] samr_ValidatePasswordRepCtr ctr2
;
1394 [case(3)] samr_ValidatePasswordRepCtr ctr3
;
1395 } samr_ValidatePasswordRep
;
1398 samr_ValidatePasswordInfo info
;
1399 lsa_StringLarge password
;
1400 lsa_StringLarge account
;
1401 samr_ValidationBlob hash
;
1402 boolean8 pwd_must_change_at_next_logon
;
1403 boolean8 clear_lockout
;
1404 } samr_ValidatePasswordReq3
;
1407 samr_ValidatePasswordInfo info
;
1408 lsa_StringLarge password
;
1409 lsa_StringLarge account
;
1410 samr_ValidationBlob hash
;
1411 boolean8 password_matched
;
1412 } samr_ValidatePasswordReq2
;
1415 samr_ValidatePasswordInfo info
;
1416 boolean8 password_matched
;
1417 } samr_ValidatePasswordReq1
;
1419 typedef [switch_type(uint16
)] union {
1420 [case(1)] samr_ValidatePasswordReq1 req1
;
1421 [case(2)] samr_ValidatePasswordReq2 req2
;
1422 [case(3)] samr_ValidatePasswordReq3 req3
;
1423 } samr_ValidatePasswordReq
;
1425 NTSTATUS samr_ValidatePassword
(
1426 [in] samr_ValidatePasswordLevel level
,
1427 [in,switch_is(level
)] samr_ValidatePasswordReq req
,
1428 [out,ref,switch_is(level
)] samr_ValidatePasswordRep
*rep