able/windows-nt
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
windows-nt/Source/XPSP1/NT/ds/published/inc/ntsam.w
CryptoAlgo Inc b3cac27891 Add source files
2020-09-26 16:20:57 +08:00

1902 lines
60 KiB
OpenEdge ABL
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*++ BUILD Version: 0006 // Increment this if a change has global effects
Copyright (c) 1989-1999 Microsoft Corporation
Module Name:
ntsam.h
Abstract:
This module describes the data types and procedure prototypes
that make up the NT Security Accounts Manager. This includes
API's exported by SAM and related subsystems.
Author:
Edwin Hoogerbeets (w-edwinh) 3-May-1990
Revision History:
30-Nov-1990 [w-mikep] Updated code to reflect changes in version 1.4
of Sam Document.
20-May-1991 (JimK) Updated to version 1.8 of SAM spec.
10-Sep-1991 (JohnRo) PC-LINT found a portability problem.
23-Jan-1991 (ChadS) Udated to version 1.14 of SAM spec.
--*/
#ifndef _NTSAM_
#define _NTSAM_
#if _MSC_VER > 1000
#pragma once
#endif
#ifdef __cplusplus
extern "C" {
#endif
#ifndef PPULONG
typedef PULONG *PPULONG;
#endif //PPULONG
//
// An attempt to lookup more than this number of names or SIDs in
// a single call will be rejected with an INSUFFICIENT_RESOURCES
// status.
//
#define SAM_MAXIMUM_LOOKUP_COUNT (1000)
//
// An attempt to pass names totalling more than the following number
// of bytes in length will be rejected with an INSUFFICIENT_RESOURCES
// status.
//
#define SAM_MAXIMUM_LOOKUP_LENGTH (32000)
//
// An attempt to set a password longer than this number of characters
// will fail.
//
#define SAM_MAX_PASSWORD_LENGTH (256)
//
// Length of the salt used in the clear password encryption
//
#define SAM_PASSWORD_ENCRYPTION_SALT_LEN (16)
#ifndef _NTSAM_SAM_HANDLE_ // ntsubauth
typedef PVOID SAM_HANDLE, *PSAM_HANDLE; // ntsubauth
#define _NTSAM_SAM_HANDLE_ // ntsubauth
#endif // ntsubauth
typedef ULONG SAM_ENUMERATE_HANDLE, *PSAM_ENUMERATE_HANDLE;
typedef struct _SAM_RID_ENUMERATION {
ULONG RelativeId;
UNICODE_STRING Name;
} SAM_RID_ENUMERATION, *PSAM_RID_ENUMERATION;
typedef struct _SAM_SID_ENUMERATION {
PSID Sid;
UNICODE_STRING Name;
} SAM_SID_ENUMERATION, *PSAM_SID_ENUMERATION;
/////////////////////////////////////////////////////////////////////////////
// //
// obsolete well-known account names. //
// These became obsolete with the flexadmin model. //
// These will be deleted shortly - DON'T USE THESE //
// //
/////////////////////////////////////////////////////////////////////////////
#define DOMAIN_ADMIN_USER_NAME "ADMIN"
#define DOMAIN_ADMIN_NAME "D_ADMIN"
#define DOMAIN_ADMIN_NAMEW L"D_ADMIN"
#define DOMAIN_USERS_NAME "D_USERS"
#define DOMAIN_USERS_NAMEW L"D_USERS"
#define DOMAIN_GUESTS_NAME "D_GUESTS"
#define DOMAIN_ACCOUNT_OPERATORS_NAME "D_ACCOUN"
#define DOMAIN_ACCOUNT_OPERATORS_NAMEW L"D_ACCOUN"
#define DOMAIN_SERVER_OPERATORS_NAME "D_SERVER"
#define DOMAIN_SERVER_OPERATORS_NAMEW L"D_SERVER"
#define DOMAIN_PRINT_OPERATORS_NAME "D_PRINT"
#define DOMAIN_PRINT_OPERATORS_NAMEW L"D_PRINT"
#define DOMAIN_COMM_OPERATORS_NAME "D_COMM"
#define DOMAIN_COMM_OPERATORS_NAMEW L"D_COMM"
#define DOMAIN_BACKUP_OPERATORS_NAME "D_BACKUP"
#define DOMAIN_RESTORE_OPERATORS_NAME "D_RESTOR"
///////////////////////////////////////////////////////////////////////////////
// //
// Server Object Related Definitions //
// //
///////////////////////////////////////////////////////////////////////////////
//
// Access rights for server object
//
#define SAM_SERVER_CONNECT 0x0001
#define SAM_SERVER_SHUTDOWN 0x0002
#define SAM_SERVER_INITIALIZE 0x0004
#define SAM_SERVER_CREATE_DOMAIN 0x0008
#define SAM_SERVER_ENUMERATE_DOMAINS 0x0010
#define SAM_SERVER_LOOKUP_DOMAIN 0x0020
#define SAM_SERVER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
SAM_SERVER_CONNECT |\
SAM_SERVER_INITIALIZE |\
SAM_SERVER_CREATE_DOMAIN |\
SAM_SERVER_SHUTDOWN |\
SAM_SERVER_ENUMERATE_DOMAINS |\
SAM_SERVER_LOOKUP_DOMAIN)
#define SAM_SERVER_READ (STANDARD_RIGHTS_READ |\
SAM_SERVER_ENUMERATE_DOMAINS)
#define SAM_SERVER_WRITE (STANDARD_RIGHTS_WRITE |\
SAM_SERVER_INITIALIZE |\
SAM_SERVER_CREATE_DOMAIN |\
SAM_SERVER_SHUTDOWN)
#define SAM_SERVER_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
SAM_SERVER_CONNECT |\
SAM_SERVER_LOOKUP_DOMAIN)
///////////////////////////////////////////////////////////////////////////////
// //
// Domain Object Related Definitions //
// //
///////////////////////////////////////////////////////////////////////////////
//
// Access rights for domain object
//
#define DOMAIN_READ_PASSWORD_PARAMETERS 0x0001
#define DOMAIN_WRITE_PASSWORD_PARAMS 0x0002
#define DOMAIN_READ_OTHER_PARAMETERS 0x0004
#define DOMAIN_WRITE_OTHER_PARAMETERS 0x0008
#define DOMAIN_CREATE_USER 0x0010
#define DOMAIN_CREATE_GROUP 0x0020
#define DOMAIN_CREATE_ALIAS 0x0040
#define DOMAIN_GET_ALIAS_MEMBERSHIP 0x0080
#define DOMAIN_LIST_ACCOUNTS 0x0100
#define DOMAIN_LOOKUP 0x0200
#define DOMAIN_ADMINISTER_SERVER 0x0400
#define DOMAIN_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
DOMAIN_READ_OTHER_PARAMETERS |\
DOMAIN_WRITE_OTHER_PARAMETERS |\
DOMAIN_WRITE_PASSWORD_PARAMS |\
DOMAIN_CREATE_USER |\
DOMAIN_CREATE_GROUP |\
DOMAIN_CREATE_ALIAS |\
DOMAIN_GET_ALIAS_MEMBERSHIP |\
DOMAIN_LIST_ACCOUNTS |\
DOMAIN_READ_PASSWORD_PARAMETERS |\
DOMAIN_LOOKUP |\
DOMAIN_ADMINISTER_SERVER)
#define DOMAIN_READ (STANDARD_RIGHTS_READ |\
DOMAIN_GET_ALIAS_MEMBERSHIP |\
DOMAIN_READ_OTHER_PARAMETERS)
#define DOMAIN_WRITE (STANDARD_RIGHTS_WRITE |\
DOMAIN_WRITE_OTHER_PARAMETERS |\
DOMAIN_WRITE_PASSWORD_PARAMS |\
DOMAIN_CREATE_USER |\
DOMAIN_CREATE_GROUP |\
DOMAIN_CREATE_ALIAS |\
DOMAIN_ADMINISTER_SERVER)
#define DOMAIN_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
DOMAIN_READ_PASSWORD_PARAMETERS |\
DOMAIN_LIST_ACCOUNTS |\
DOMAIN_LOOKUP)
//
// Normal modifications cause a domain's ModifiedCount to be
// incremented by 1. Domain promotion to Primary domain controller
// cause the ModifiedCount to be incremented by the following
// amount. This causes the upper 24-bits of the ModifiedCount
// to be a promotion count and the lower 40-bits as a modification
// count.
//
#define DOMAIN_PROMOTION_INCREMENT {0x0,0x10}
#define DOMAIN_PROMOTION_MASK {0x0,0xFFFFFFF0}
//
// Domain information classes and their corresponding data structures
//
typedef enum _DOMAIN_INFORMATION_CLASS {
DomainPasswordInformation = 1,
DomainGeneralInformation,
DomainLogoffInformation,
DomainOemInformation,
DomainNameInformation,
DomainReplicationInformation,
DomainServerRoleInformation,
DomainModifiedInformation,
DomainStateInformation,
DomainUasInformation,
DomainGeneralInformation2,
DomainLockoutInformation,
DomainModifiedInformation2
} DOMAIN_INFORMATION_CLASS;
typedef enum _DOMAIN_SERVER_ENABLE_STATE {
DomainServerEnabled = 1,
DomainServerDisabled
} DOMAIN_SERVER_ENABLE_STATE, *PDOMAIN_SERVER_ENABLE_STATE;
typedef enum _DOMAIN_SERVER_ROLE {
DomainServerRoleBackup = 2,
DomainServerRolePrimary
} DOMAIN_SERVER_ROLE, *PDOMAIN_SERVER_ROLE;
#include "pshpack4.h"
typedef struct _DOMAIN_GENERAL_INFORMATION {
LARGE_INTEGER ForceLogoff;
UNICODE_STRING OemInformation;
UNICODE_STRING DomainName;
UNICODE_STRING ReplicaSourceNodeName;
LARGE_INTEGER DomainModifiedCount;
DOMAIN_SERVER_ENABLE_STATE DomainServerState;
DOMAIN_SERVER_ROLE DomainServerRole;
BOOLEAN UasCompatibilityRequired;
ULONG UserCount;
ULONG GroupCount;
ULONG AliasCount;
} DOMAIN_GENERAL_INFORMATION, *PDOMAIN_GENERAL_INFORMATION;
#include "poppack.h"
#include "pshpack4.h"
typedef struct _DOMAIN_GENERAL_INFORMATION2 {
DOMAIN_GENERAL_INFORMATION I1;
//
// New fields added for this structure (NT1.0A).
//
LARGE_INTEGER LockoutDuration; //Must be a Delta time
LARGE_INTEGER LockoutObservationWindow; //Must be a Delta time
USHORT LockoutThreshold;
} DOMAIN_GENERAL_INFORMATION2, *PDOMAIN_GENERAL_INFORMATION2;
#include "poppack.h"
typedef struct _DOMAIN_UAS_INFORMATION {
BOOLEAN UasCompatibilityRequired;
} DOMAIN_UAS_INFORMATION;
//
// This needs to be guarded, because ntsecapi.h is a generated
// public file, and ntsam.h is an internal file, but people like
// to mix and match them anyway.
//
// begin_ntsecapi
#ifndef _DOMAIN_PASSWORD_INFORMATION_DEFINED
#define _DOMAIN_PASSWORD_INFORMATION_DEFINED
typedef struct _DOMAIN_PASSWORD_INFORMATION {
USHORT MinPasswordLength;
USHORT PasswordHistoryLength;
ULONG PasswordProperties;
#if defined(MIDL_PASS)
OLD_LARGE_INTEGER MaxPasswordAge;
OLD_LARGE_INTEGER MinPasswordAge;
#else
LARGE_INTEGER MaxPasswordAge;
LARGE_INTEGER MinPasswordAge;
#endif
} DOMAIN_PASSWORD_INFORMATION, *PDOMAIN_PASSWORD_INFORMATION;
#endif
//
// PasswordProperties flags
//
#define DOMAIN_PASSWORD_COMPLEX 0x00000001L
#define DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002L
#define DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004L
#define DOMAIN_LOCKOUT_ADMINS 0x00000008L
#define DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010L
#define DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020L
#define DOMAIN_NO_LM_OWF_CHANGE 0x00000040L
// end_ntsecapi
typedef enum _DOMAIN_PASSWORD_CONSTRUCTION {
DomainPasswordSimple = 1,
DomainPasswordComplex
} DOMAIN_PASSWORD_CONSTRUCTION;
typedef struct _DOMAIN_LOGOFF_INFORMATION {
#if defined(MIDL_PASS)
OLD_LARGE_INTEGER ForceLogoff;
#else
LARGE_INTEGER ForceLogoff;
#endif
} DOMAIN_LOGOFF_INFORMATION, *PDOMAIN_LOGOFF_INFORMATION;
typedef struct _DOMAIN_OEM_INFORMATION {
UNICODE_STRING OemInformation;
} DOMAIN_OEM_INFORMATION, *PDOMAIN_OEM_INFORMATION;
typedef struct _DOMAIN_NAME_INFORMATION {
UNICODE_STRING DomainName;
} DOMAIN_NAME_INFORMATION, *PDOMAIN_NAME_INFORMATION;
typedef struct _DOMAIN_SERVER_ROLE_INFORMATION {
DOMAIN_SERVER_ROLE DomainServerRole;
} DOMAIN_SERVER_ROLE_INFORMATION, *PDOMAIN_SERVER_ROLE_INFORMATION;
typedef struct _DOMAIN_REPLICATION_INFORMATION {
UNICODE_STRING ReplicaSourceNodeName;
} DOMAIN_REPLICATION_INFORMATION, *PDOMAIN_REPLICATION_INFORMATION;
typedef struct _DOMAIN_MODIFIED_INFORMATION {
#if defined(MIDL_PASS)
OLD_LARGE_INTEGER DomainModifiedCount;
OLD_LARGE_INTEGER CreationTime;
#else
LARGE_INTEGER DomainModifiedCount;
LARGE_INTEGER CreationTime;
#endif
} DOMAIN_MODIFIED_INFORMATION, *PDOMAIN_MODIFIED_INFORMATION;
typedef struct _DOMAIN_MODIFIED_INFORMATION2 {
#if defined(MIDL_PASS)
OLD_LARGE_INTEGER DomainModifiedCount;
OLD_LARGE_INTEGER CreationTime;
OLD_LARGE_INTEGER ModifiedCountAtLastPromotion;
#else
LARGE_INTEGER DomainModifiedCount;
LARGE_INTEGER CreationTime;
LARGE_INTEGER ModifiedCountAtLastPromotion;
#endif
} DOMAIN_MODIFIED_INFORMATION2, *PDOMAIN_MODIFIED_INFORMATION2;
typedef struct _DOMAIN_STATE_INFORMATION {
DOMAIN_SERVER_ENABLE_STATE DomainServerState;
} DOMAIN_STATE_INFORMATION, *PDOMAIN_STATE_INFORMATION;
typedef struct _DOMAIN_LOCKOUT_INFORMATION {
#if defined(MIDL_PASS)
OLD_LARGE_INTEGER LockoutDuration; //Must be a Delta time
OLD_LARGE_INTEGER LockoutObservationWindow; //Must be a Delta time
#else
LARGE_INTEGER LockoutDuration; //Must be a Delta time
LARGE_INTEGER LockoutObservationWindow; //Must be a Delta time
#endif
USHORT LockoutThreshold; //Zero means no lockout
} DOMAIN_LOCKOUT_INFORMATION, *PDOMAIN_LOCKOUT_INFORMATION;
//
// Types used by the SamQueryDisplayInformation API
//
typedef enum _DOMAIN_DISPLAY_INFORMATION {
DomainDisplayUser = 1,
DomainDisplayMachine,
DomainDisplayGroup, // Added in NT1.0A
DomainDisplayOemUser, // Added in NT1.0A
DomainDisplayOemGroup, // Added in NT1.0A
DomainDisplayServer // Added in NT5 to support query of servers
} DOMAIN_DISPLAY_INFORMATION, *PDOMAIN_DISPLAY_INFORMATION;
typedef struct _DOMAIN_DISPLAY_USER {
ULONG Index;
ULONG Rid;
ULONG AccountControl;
UNICODE_STRING LogonName;
UNICODE_STRING AdminComment;
UNICODE_STRING FullName;
} DOMAIN_DISPLAY_USER, *PDOMAIN_DISPLAY_USER;
typedef struct _DOMAIN_DISPLAY_MACHINE {
ULONG Index;
ULONG Rid;
ULONG AccountControl;
UNICODE_STRING Machine;
UNICODE_STRING Comment;
} DOMAIN_DISPLAY_MACHINE, *PDOMAIN_DISPLAY_MACHINE;
typedef struct _DOMAIN_DISPLAY_GROUP { // Added in NT1.0A
ULONG Index;
ULONG Rid;
ULONG Attributes;
UNICODE_STRING Group;
UNICODE_STRING Comment;
} DOMAIN_DISPLAY_GROUP, *PDOMAIN_DISPLAY_GROUP;
typedef struct _DOMAIN_DISPLAY_OEM_USER { // Added in NT1.0A
ULONG Index;
OEM_STRING User;
} DOMAIN_DISPLAY_OEM_USER, *PDOMAIN_DISPLAY_OEM_USER;
typedef struct _DOMAIN_DISPLAY_OEM_GROUP { // Added in NT1.0A
ULONG Index;
OEM_STRING Group;
} DOMAIN_DISPLAY_OEM_GROUP, *PDOMAIN_DISPLAY_OEM_GROUP;
///////////////////////////////////////////////////////////////////////////////
// //
// Group Object Related Definitions //
// //
///////////////////////////////////////////////////////////////////////////////
//
// Access rights for group object
//
#define GROUP_READ_INFORMATION 0x0001
#define GROUP_WRITE_ACCOUNT 0x0002
#define GROUP_ADD_MEMBER 0x0004
#define GROUP_REMOVE_MEMBER 0x0008
#define GROUP_LIST_MEMBERS 0x0010
#define GROUP_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
GROUP_LIST_MEMBERS |\
GROUP_WRITE_ACCOUNT |\
GROUP_ADD_MEMBER |\
GROUP_REMOVE_MEMBER |\
GROUP_READ_INFORMATION)
#define GROUP_READ (STANDARD_RIGHTS_READ |\
GROUP_LIST_MEMBERS)
#define GROUP_WRITE (STANDARD_RIGHTS_WRITE |\
GROUP_WRITE_ACCOUNT |\
GROUP_ADD_MEMBER |\
GROUP_REMOVE_MEMBER)
#define GROUP_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
GROUP_READ_INFORMATION)
//
// Group object types
//
typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} GROUP_MEMBERSHIP, *PGROUP_MEMBERSHIP;
typedef enum _GROUP_INFORMATION_CLASS {
GroupGeneralInformation = 1,
GroupNameInformation,
GroupAttributeInformation,
GroupAdminCommentInformation,
GroupReplicationInformation
} GROUP_INFORMATION_CLASS;
typedef struct _GROUP_GENERAL_INFORMATION {
UNICODE_STRING Name;
ULONG Attributes;
ULONG MemberCount;
UNICODE_STRING AdminComment;
} GROUP_GENERAL_INFORMATION, *PGROUP_GENERAL_INFORMATION;
typedef struct _GROUP_NAME_INFORMATION {
UNICODE_STRING Name;
} GROUP_NAME_INFORMATION, *PGROUP_NAME_INFORMATION;
typedef struct _GROUP_ATTRIBUTE_INFORMATION {
ULONG Attributes;
} GROUP_ATTRIBUTE_INFORMATION, *PGROUP_ATTRIBUTE_INFORMATION;
typedef struct _GROUP_ADM_COMMENT_INFORMATION {
UNICODE_STRING AdminComment;
} GROUP_ADM_COMMENT_INFORMATION, *PGROUP_ADM_COMMENT_INFORMATION;
///////////////////////////////////////////////////////////////////////////////
// //
// Alias Object Related Definitions //
// //
///////////////////////////////////////////////////////////////////////////////
//
// Access rights for alias object
//
#define ALIAS_ADD_MEMBER 0x0001
#define ALIAS_REMOVE_MEMBER 0x0002
#define ALIAS_LIST_MEMBERS 0x0004
#define ALIAS_READ_INFORMATION 0x0008
#define ALIAS_WRITE_ACCOUNT 0x0010
#define ALIAS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
ALIAS_READ_INFORMATION |\
ALIAS_WRITE_ACCOUNT |\
ALIAS_LIST_MEMBERS |\
ALIAS_ADD_MEMBER |\
ALIAS_REMOVE_MEMBER)
#define ALIAS_READ (STANDARD_RIGHTS_READ |\
ALIAS_LIST_MEMBERS)
#define ALIAS_WRITE (STANDARD_RIGHTS_WRITE |\
ALIAS_WRITE_ACCOUNT |\
ALIAS_ADD_MEMBER |\
ALIAS_REMOVE_MEMBER)
#define ALIAS_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
ALIAS_READ_INFORMATION)
//
// Alias object types
//
typedef enum _ALIAS_INFORMATION_CLASS {
AliasGeneralInformation = 1,
AliasNameInformation,
AliasAdminCommentInformation,
AliasReplicationInformation
} ALIAS_INFORMATION_CLASS;
typedef struct _ALIAS_GENERAL_INFORMATION {
UNICODE_STRING Name;
ULONG MemberCount;
UNICODE_STRING AdminComment;
} ALIAS_GENERAL_INFORMATION, *PALIAS_GENERAL_INFORMATION;
typedef struct _ALIAS_NAME_INFORMATION {
UNICODE_STRING Name;
} ALIAS_NAME_INFORMATION, *PALIAS_NAME_INFORMATION;
typedef struct _ALIAS_ADM_COMMENT_INFORMATION {
UNICODE_STRING AdminComment;
} ALIAS_ADM_COMMENT_INFORMATION, *PALIAS_ADM_COMMENT_INFORMATION;
//////////////////////////////////////////////////////////////////////////////
// //
// NT5+ Limited Groups Related Definitions //
// //
//////////////////////////////////////////////////////////////////////////////
//
// Group Flag Definitions to determine Type of Group
//
#define GROUP_TYPE_BUILTIN_LOCAL_GROUP 0x00000001
#define GROUP_TYPE_ACCOUNT_GROUP 0x00000002
#define GROUP_TYPE_RESOURCE_GROUP 0x00000004
#define GROUP_TYPE_UNIVERSAL_GROUP 0x00000008
#define GROUP_TYPE_SECURITY_ENABLED 0x80000000
///////////////////////////////////////////////////////////////////////////////
// //
// User Object Related Definitions //
// //
///////////////////////////////////////////////////////////////////////////////
//
// Access rights for user object
//
#define USER_READ_GENERAL 0x0001
#define USER_READ_PREFERENCES 0x0002
#define USER_WRITE_PREFERENCES 0x0004
#define USER_READ_LOGON 0x0008
#define USER_READ_ACCOUNT 0x0010
#define USER_WRITE_ACCOUNT 0x0020
#define USER_CHANGE_PASSWORD 0x0040
#define USER_FORCE_PASSWORD_CHANGE 0x0080
#define USER_LIST_GROUPS 0x0100
#define USER_READ_GROUP_INFORMATION 0x0200
#define USER_WRITE_GROUP_INFORMATION 0x0400
#define USER_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED |\
USER_READ_PREFERENCES |\
USER_READ_LOGON |\
USER_LIST_GROUPS |\
USER_READ_GROUP_INFORMATION |\
USER_WRITE_PREFERENCES |\
USER_CHANGE_PASSWORD |\
USER_FORCE_PASSWORD_CHANGE |\
USER_READ_GENERAL |\
USER_READ_ACCOUNT |\
USER_WRITE_ACCOUNT |\
USER_WRITE_GROUP_INFORMATION)
#define USER_READ (STANDARD_RIGHTS_READ |\
USER_READ_PREFERENCES |\
USER_READ_LOGON |\
USER_READ_ACCOUNT |\
USER_LIST_GROUPS |\
USER_READ_GROUP_INFORMATION)
#define USER_WRITE (STANDARD_RIGHTS_WRITE |\
USER_WRITE_PREFERENCES |\
USER_CHANGE_PASSWORD)
#define USER_EXECUTE (STANDARD_RIGHTS_EXECUTE |\
USER_READ_GENERAL |\
USER_CHANGE_PASSWORD)
//
// User object types
//
// begin_ntsubauth
#ifndef _NTSAM_USER_ACCOUNT_FLAGS_
//
// User account control flags...
//
#define USER_ACCOUNT_DISABLED (0x00000001)
#define USER_HOME_DIRECTORY_REQUIRED (0x00000002)
#define USER_PASSWORD_NOT_REQUIRED (0x00000004)
#define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008)
#define USER_NORMAL_ACCOUNT (0x00000010)
#define USER_MNS_LOGON_ACCOUNT (0x00000020)
#define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040)
#define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080)
#define USER_SERVER_TRUST_ACCOUNT (0x00000100)
#define USER_DONT_EXPIRE_PASSWORD (0x00000200)
#define USER_ACCOUNT_AUTO_LOCKED (0x00000400)
#define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800)
#define USER_SMARTCARD_REQUIRED (0x00001000)
#define USER_TRUSTED_FOR_DELEGATION (0x00002000)
#define USER_NOT_DELEGATED (0x00004000)
#define USER_USE_DES_KEY_ONLY (0x00008000)
#define USER_DONT_REQUIRE_PREAUTH (0x00010000)
#define USER_PASSWORD_EXPIRED (0x00020000)
#define USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (0x00040000)
#define NEXT_FREE_ACCOUNT_CONTROL_BIT (USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION << 1)
#define USER_MACHINE_ACCOUNT_MASK \
( USER_INTERDOMAIN_TRUST_ACCOUNT |\
USER_WORKSTATION_TRUST_ACCOUNT |\
USER_SERVER_TRUST_ACCOUNT)
#define USER_ACCOUNT_TYPE_MASK \
( USER_TEMP_DUPLICATE_ACCOUNT |\
USER_NORMAL_ACCOUNT |\
USER_MACHINE_ACCOUNT_MASK )
//
// Logon times may be expressed in day, hour, or minute granularity.
//
// Days per week = 7
// Hours per week = 168
// Minutes per week = 10080
//
#define SAM_DAYS_PER_WEEK (7)
#define SAM_HOURS_PER_WEEK (24 * SAM_DAYS_PER_WEEK)
#define SAM_MINUTES_PER_WEEK (60 * SAM_HOURS_PER_WEEK)
typedef struct _LOGON_HOURS {
USHORT UnitsPerWeek;
//
// UnitsPerWeek is the number of equal length time units the week is
// divided into. This value is used to compute the length of the bit
// string in logon_hours. Must be less than or equal to
// SAM_UNITS_PER_WEEK (10080) for this release.
//
// LogonHours is a bit map of valid logon times. Each bit represents
// a unique division in a week. The largest bit map supported is 1260
// bytes (10080 bits), which represents minutes per week. In this case
// the first bit (bit 0, byte 0) is Sunday, 00:00:00 - 00-00:59; bit 1,
// byte 0 is Sunday, 00:01:00 - 00:01:59, etc. A NULL pointer means
// DONT_CHANGE for SamSetInformationUser() calls.
//
PUCHAR LogonHours;
} LOGON_HOURS, *PLOGON_HOURS;
typedef struct _SR_SECURITY_DESCRIPTOR {
ULONG Length;
PUCHAR SecurityDescriptor;
} SR_SECURITY_DESCRIPTOR, *PSR_SECURITY_DESCRIPTOR;
#define _NTSAM_USER_ACCOUNT_FLAG_
#endif
// end_ntsubauth
typedef enum _USER_INFORMATION_CLASS {
UserGeneralInformation = 1,
UserPreferencesInformation,
UserLogonInformation,
UserLogonHoursInformation,
UserAccountInformation,
UserNameInformation,
UserAccountNameInformation,
UserFullNameInformation,
UserPrimaryGroupInformation,
UserHomeInformation,
UserScriptInformation,
UserProfileInformation,
UserAdminCommentInformation,
UserWorkStationsInformation,
UserSetPasswordInformation,
UserControlInformation,
UserExpiresInformation,
UserInternal1Information,
UserInternal2Information,
UserParametersInformation,
UserAllInformation,
UserInternal3Information,
UserInternal4Information,
UserInternal5Information,
UserInternal4InformationNew,
UserInternal5InformationNew,
UserInternal6Information
} USER_INFORMATION_CLASS, *PUSER_INFORMATION_CLASS;
// begin_ntsubauth
#ifndef _NTSAM_USER_ALL_INFO_
#include "pshpack4.h"
typedef struct _USER_ALL_INFORMATION {
LARGE_INTEGER LastLogon;
LARGE_INTEGER LastLogoff;
LARGE_INTEGER PasswordLastSet;
LARGE_INTEGER AccountExpires;
LARGE_INTEGER PasswordCanChange;
LARGE_INTEGER PasswordMustChange;
UNICODE_STRING UserName;
UNICODE_STRING FullName;
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
UNICODE_STRING ScriptPath;
UNICODE_STRING ProfilePath;
UNICODE_STRING AdminComment;
UNICODE_STRING WorkStations;
UNICODE_STRING UserComment;
UNICODE_STRING Parameters;
UNICODE_STRING LmPassword;
UNICODE_STRING NtPassword;
UNICODE_STRING PrivateData;
SR_SECURITY_DESCRIPTOR SecurityDescriptor;
ULONG UserId;
ULONG PrimaryGroupId;
ULONG UserAccountControl;
ULONG WhichFields;
LOGON_HOURS LogonHours;
USHORT BadPasswordCount;
USHORT LogonCount;
USHORT CountryCode;
USHORT CodePage;
BOOLEAN LmPasswordPresent;
BOOLEAN NtPasswordPresent;
BOOLEAN PasswordExpired;
BOOLEAN PrivateDataSensitive;
} USER_ALL_INFORMATION, *PUSER_ALL_INFORMATION;
#include "poppack.h"
#define _NTSAM_USER_ALL_INFO_
#endif
// end_ntsubauth
//
// Bits to be used in UserAllInformation's WhichFields field (to indicate
// which items were queried or set).
//
#define USER_ALL_USERNAME 0x00000001
#define USER_ALL_FULLNAME 0x00000002
#define USER_ALL_USERID 0x00000004
#define USER_ALL_PRIMARYGROUPID 0x00000008
#define USER_ALL_ADMINCOMMENT 0x00000010
#define USER_ALL_USERCOMMENT 0x00000020
#define USER_ALL_HOMEDIRECTORY 0x00000040
#define USER_ALL_HOMEDIRECTORYDRIVE 0x00000080
#define USER_ALL_SCRIPTPATH 0x00000100
#define USER_ALL_PROFILEPATH 0x00000200
#define USER_ALL_WORKSTATIONS 0x00000400
#define USER_ALL_LASTLOGON 0x00000800
#define USER_ALL_LASTLOGOFF 0x00001000
#define USER_ALL_LOGONHOURS 0x00002000
#define USER_ALL_BADPASSWORDCOUNT 0x00004000
#define USER_ALL_LOGONCOUNT 0x00008000
#define USER_ALL_PASSWORDCANCHANGE 0x00010000
#define USER_ALL_PASSWORDMUSTCHANGE 0x00020000
#define USER_ALL_PASSWORDLASTSET 0x00040000
#define USER_ALL_ACCOUNTEXPIRES 0x00080000
#define USER_ALL_USERACCOUNTCONTROL 0x00100000
#ifndef _NTSAM_SAM_USER_PARMS_ // ntsubauth
#define USER_ALL_PARAMETERS 0x00200000 // ntsubauth
#define _NTSAM_SAM_USER_PARMS_ // ntsubauth
#endif // ntsubauth
#define USER_ALL_COUNTRYCODE 0x00400000
#define USER_ALL_CODEPAGE 0x00800000
#define USER_ALL_NTPASSWORDPRESENT 0x01000000 // field AND boolean
#define USER_ALL_LMPASSWORDPRESENT 0x02000000 // field AND boolean
#define USER_ALL_PRIVATEDATA 0x04000000 // field AND boolean
#define USER_ALL_PASSWORDEXPIRED 0x08000000
#define USER_ALL_SECURITYDESCRIPTOR 0x10000000
#define USER_ALL_OWFPASSWORD 0x20000000 // boolean
#define USER_ALL_UNDEFINED_MASK 0xC0000000
//
// Now define masks for fields that are accessed for read by the same
// access type.
//
// Fields that require READ_GENERAL access to read.
//
#define USER_ALL_READ_GENERAL_MASK (USER_ALL_USERNAME | \
USER_ALL_FULLNAME | \
USER_ALL_USERID | \
USER_ALL_PRIMARYGROUPID | \
USER_ALL_ADMINCOMMENT | \
USER_ALL_USERCOMMENT)
//
// Fields that require READ_LOGON access to read.
//
#define USER_ALL_READ_LOGON_MASK (USER_ALL_HOMEDIRECTORY | \
USER_ALL_HOMEDIRECTORYDRIVE | \
USER_ALL_SCRIPTPATH | \
USER_ALL_PROFILEPATH | \
USER_ALL_WORKSTATIONS | \
USER_ALL_LASTLOGON | \
USER_ALL_LASTLOGOFF | \
USER_ALL_LOGONHOURS | \
USER_ALL_BADPASSWORDCOUNT | \
USER_ALL_LOGONCOUNT | \
USER_ALL_PASSWORDCANCHANGE | \
USER_ALL_PASSWORDMUSTCHANGE)
//
// Fields that require READ_ACCOUNT access to read.
//
#define USER_ALL_READ_ACCOUNT_MASK (USER_ALL_PASSWORDLASTSET | \
USER_ALL_ACCOUNTEXPIRES | \
USER_ALL_USERACCOUNTCONTROL | \
USER_ALL_PARAMETERS)
//
// Fields that require READ_PREFERENCES access to read.
//
#define USER_ALL_READ_PREFERENCES_MASK (USER_ALL_COUNTRYCODE | \
USER_ALL_CODEPAGE)
//
// Fields that can only be read by trusted clients.
//
#define USER_ALL_READ_TRUSTED_MASK (USER_ALL_NTPASSWORDPRESENT | \
USER_ALL_LMPASSWORDPRESENT | \
USER_ALL_PASSWORDEXPIRED | \
USER_ALL_SECURITYDESCRIPTOR | \
USER_ALL_PRIVATEDATA)
//
// Fields that can't be read.
//
#define USER_ALL_READ_CANT_MASK USER_ALL_UNDEFINED_MASK
//
// Now define masks for fields that are accessed for write by the same
// access type.
//
// Fields that require WRITE_ACCOUNT access to write.
//
#define USER_ALL_WRITE_ACCOUNT_MASK (USER_ALL_USERNAME | \
USER_ALL_FULLNAME | \
USER_ALL_PRIMARYGROUPID | \
USER_ALL_HOMEDIRECTORY | \
USER_ALL_HOMEDIRECTORYDRIVE | \
USER_ALL_SCRIPTPATH | \
USER_ALL_PROFILEPATH | \
USER_ALL_ADMINCOMMENT | \
USER_ALL_WORKSTATIONS | \
USER_ALL_LOGONHOURS | \
USER_ALL_ACCOUNTEXPIRES | \
USER_ALL_USERACCOUNTCONTROL | \
USER_ALL_PARAMETERS)
//
// Fields that require WRITE_PREFERENCES access to write.
//
#define USER_ALL_WRITE_PREFERENCES_MASK (USER_ALL_USERCOMMENT | \
USER_ALL_COUNTRYCODE | \
USER_ALL_CODEPAGE)
//
// Fields that require FORCE_PASSWORD_CHANGE access to write.
//
// Note that non-trusted clients only set the NT password as a
// UNICODE string. The wrapper will convert it to an LM password,
// OWF and encrypt both versions. Trusted clients can pass in OWF
// versions of either or both.
//
#define USER_ALL_WRITE_FORCE_PASSWORD_CHANGE_MASK \
(USER_ALL_NTPASSWORDPRESENT | \
USER_ALL_LMPASSWORDPRESENT | \
USER_ALL_PASSWORDEXPIRED)
//
// Fields that can only be written by trusted clients.
//
#define USER_ALL_WRITE_TRUSTED_MASK (USER_ALL_LASTLOGON | \
USER_ALL_LASTLOGOFF | \
USER_ALL_BADPASSWORDCOUNT | \
USER_ALL_LOGONCOUNT | \
USER_ALL_PASSWORDLASTSET | \
USER_ALL_SECURITYDESCRIPTOR | \
USER_ALL_PRIVATEDATA)
//
// Fields that can't be written.
//
#define USER_ALL_WRITE_CANT_MASK (USER_ALL_USERID | \
USER_ALL_PASSWORDCANCHANGE | \
USER_ALL_PASSWORDMUSTCHANGE | \
USER_ALL_UNDEFINED_MASK)
typedef struct _USER_GENERAL_INFORMATION {
UNICODE_STRING UserName;
UNICODE_STRING FullName;
ULONG PrimaryGroupId;
UNICODE_STRING AdminComment;
UNICODE_STRING UserComment;
} USER_GENERAL_INFORMATION, *PUSER_GENERAL_INFORMATION;
typedef struct _USER_PREFERENCES_INFORMATION {
UNICODE_STRING UserComment;
UNICODE_STRING Reserved1;
USHORT CountryCode;
USHORT CodePage;
} USER_PREFERENCES_INFORMATION, *PUSER_PREFERENCES_INFORMATION;
typedef struct _USER_PARAMETERS_INFORMATION {
UNICODE_STRING Parameters;
} USER_PARAMETERS_INFORMATION, *PUSER_PARAMETERS_INFORMATION;
#include "pshpack4.h"
typedef struct _USER_LOGON_INFORMATION {
UNICODE_STRING UserName;
UNICODE_STRING FullName;
ULONG UserId;
ULONG PrimaryGroupId;
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
UNICODE_STRING ScriptPath;
UNICODE_STRING ProfilePath;
UNICODE_STRING WorkStations;
LARGE_INTEGER LastLogon;
LARGE_INTEGER LastLogoff;
LARGE_INTEGER PasswordLastSet;
LARGE_INTEGER PasswordCanChange;
LARGE_INTEGER PasswordMustChange;
LOGON_HOURS LogonHours;
USHORT BadPasswordCount;
USHORT LogonCount;
ULONG UserAccountControl;
} USER_LOGON_INFORMATION, *PUSER_LOGON_INFORMATION;
#include "poppack.h"
#include "pshpack4.h"
typedef struct _USER_ACCOUNT_INFORMATION {
UNICODE_STRING UserName;
UNICODE_STRING FullName;
ULONG UserId;
ULONG PrimaryGroupId;
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
UNICODE_STRING ScriptPath;
UNICODE_STRING ProfilePath;
UNICODE_STRING AdminComment;
UNICODE_STRING WorkStations;
LARGE_INTEGER LastLogon;
LARGE_INTEGER LastLogoff;
LOGON_HOURS LogonHours;
USHORT BadPasswordCount;
USHORT LogonCount;
LARGE_INTEGER PasswordLastSet;
LARGE_INTEGER AccountExpires;
ULONG UserAccountControl;
} USER_ACCOUNT_INFORMATION, *PUSER_ACCOUNT_INFORMATION;
#include "poppack.h"
typedef struct _USER_ACCOUNT_NAME_INFORMATION {
UNICODE_STRING UserName;
} USER_ACCOUNT_NAME_INFORMATION, *PUSER_ACCOUNT_NAME_INFORMATION;
typedef struct _USER_FULL_NAME_INFORMATION {
UNICODE_STRING FullName;
} USER_FULL_NAME_INFORMATION, *PUSER_FULL_NAME_INFORMATION;
typedef struct _USER_NAME_INFORMATION {
UNICODE_STRING UserName;
UNICODE_STRING FullName;
} USER_NAME_INFORMATION, *PUSER_NAME_INFORMATION;
typedef struct _USER_PRIMARY_GROUP_INFORMATION {
ULONG PrimaryGroupId;
} USER_PRIMARY_GROUP_INFORMATION, *PUSER_PRIMARY_GROUP_INFORMATION;
typedef struct _USER_HOME_INFORMATION {
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
} USER_HOME_INFORMATION, *PUSER_HOME_INFORMATION;
typedef struct _USER_SCRIPT_INFORMATION {
UNICODE_STRING ScriptPath;
} USER_SCRIPT_INFORMATION, *PUSER_SCRIPT_INFORMATION;
typedef struct _USER_PROFILE_INFORMATION {
UNICODE_STRING ProfilePath;
} USER_PROFILE_INFORMATION, *PUSER_PROFILE_INFORMATION;
typedef struct _USER_ADMIN_COMMENT_INFORMATION {
UNICODE_STRING AdminComment;
} USER_ADMIN_COMMENT_INFORMATION, *PUSER_ADMIN_COMMENT_INFORMATION;
typedef struct _USER_WORKSTATIONS_INFORMATION {
UNICODE_STRING WorkStations;
} USER_WORKSTATIONS_INFORMATION, *PUSER_WORKSTATIONS_INFORMATION;
typedef struct _USER_SET_PASSWORD_INFORMATION {
UNICODE_STRING Password;
BOOLEAN PasswordExpired;
} USER_SET_PASSWORD_INFORMATION, *PUSER_SET_PASSWORD_INFORMATION;
typedef struct _USER_CONTROL_INFORMATION {
ULONG UserAccountControl;
} USER_CONTROL_INFORMATION, *PUSER_CONTROL_INFORMATION;
typedef struct _USER_EXPIRES_INFORMATION {
#if defined(MIDL_PASS)
OLD_LARGE_INTEGER AccountExpires;
#else
LARGE_INTEGER AccountExpires;
#endif
} USER_EXPIRES_INFORMATION, *PUSER_EXPIRES_INFORMATION;
typedef struct _USER_LOGON_HOURS_INFORMATION {
LOGON_HOURS LogonHours;
} USER_LOGON_HOURS_INFORMATION, *PUSER_LOGON_HOURS_INFORMATION;
///////////////////////////////////////////////////////////////////////////
// //
// Data type used by SamChangePasswordUser3 for better error //
// reporting of password change change failures //
// //
// The field definitions are as follows: //
// //
// ExtendedFailureReason -- Indicates the reason //
// why the new password was not //
// accepted //
// //
// FilterModuleName -- If the password change was failed //
// by a password filter , the name of //
// of the filter DLL is returned in //
// here //
// //
// The following error codes are defined //
// //
// SAM_PWD_CHANGE_NO_ERROR //
// No error, cannot be returned alongwith a failure code for //
// password change //
// //
// SAM_PWD_CHANGE_PASSWORD_TOO_SHORT //
// //
// Supplied password did not meet password length policy //
// //
// SAM_PWD_CHANGE_PWD_IN_HISTORY //
// //
// History restrictions were not met //
// //
// SAM_PWD_CHANGE_USERNAME_IN_PASSWORD //
// Complexity check could not be met because the user //
// name was part of the password //
// //
// SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD //
// //
// Complexity check could not be met because the user's //
// full name was part of the password //
// //
// SAM_PWD_CHANGE_MACHINE_PASSWORD_NOT_DEFAULT //
// //
// The domain has the refuse password change setting //
// enabled. This disallows machine accounts from having //
// anything other than the default password //
// //
// SAM_PWD_CHANGE_FAILED_BY_FILTER //
// //
// The supplied new password failed by a password filter //
// the name of the filter DLL is indicated //
// //
// //
///////////////////////////////////////////////////////////////////////////
typedef struct _USER_PWD_CHANGE_FAILURE_INFORMATION {
ULONG ExtendedFailureReason;
UNICODE_STRING FilterModuleName;
} USER_PWD_CHANGE_FAILURE_INFORMATION,*PUSER_PWD_CHANGE_FAILURE_INFORMATION;
//
// Currently defined values for ExtendedFailureReason are as follows
//
#define SAM_PWD_CHANGE_NO_ERROR 0
#define SAM_PWD_CHANGE_PASSWORD_TOO_SHORT 1
#define SAM_PWD_CHANGE_PWD_IN_HISTORY 2
#define SAM_PWD_CHANGE_USERNAME_IN_PASSWORD 3
#define SAM_PWD_CHANGE_FULLNAME_IN_PASSWORD 4
#define SAM_PWD_CHANGE_NOT_COMPLEX 5
#define SAM_PWD_CHANGE_MACHINE_PASSWORD_NOT_DEFAULT 6
#define SAM_PWD_CHANGE_FAILED_BY_FILTER 7
#define SAM_PWD_CHANGE_PASSWORD_TOO_LONG 8
#define SAM_PWD_CHANGE_FAILURE_REASON_MAX 8
/////////////////////////////////////////////////////////////////////////////
// //
// Data types used by SAM and Netlogon for database replication //
// //
/////////////////////////////////////////////////////////////////////////////
typedef enum _SECURITY_DB_DELTA_TYPE {
SecurityDbNew = 1,
SecurityDbRename,
SecurityDbDelete,
SecurityDbChangeMemberAdd,
SecurityDbChangeMemberSet,
SecurityDbChangeMemberDel,
SecurityDbChange,
SecurityDbChangePassword
} SECURITY_DB_DELTA_TYPE, *PSECURITY_DB_DELTA_TYPE;
typedef enum _SECURITY_DB_OBJECT_TYPE {
SecurityDbObjectSamDomain = 1,
SecurityDbObjectSamUser,
SecurityDbObjectSamGroup,
SecurityDbObjectSamAlias,
SecurityDbObjectLsaPolicy,
SecurityDbObjectLsaTDomain,
SecurityDbObjectLsaAccount,
SecurityDbObjectLsaSecret
} SECURITY_DB_OBJECT_TYPE, *PSECURITY_DB_OBJECT_TYPE;
//
// Account types
//
// Both enumerated types and flag definitions are provided.
// The flag definitions are used in places where more than
// one type of account may be specified together.
//
typedef enum _SAM_ACCOUNT_TYPE {
SamObjectUser = 1,
SamObjectGroup ,
SamObjectAlias
} SAM_ACCOUNT_TYPE, *PSAM_ACCOUNT_TYPE;
#define SAM_USER_ACCOUNT (0x00000001)
#define SAM_GLOBAL_GROUP_ACCOUNT (0x00000002)
#define SAM_LOCAL_GROUP_ACCOUNT (0x00000004)
//
// Define the data type used to pass netlogon information on the account
// that was added or deleted from a group.
//
typedef struct _SAM_GROUP_MEMBER_ID {
ULONG MemberRid;
} SAM_GROUP_MEMBER_ID, *PSAM_GROUP_MEMBER_ID;
//
// Define the data type used to pass netlogon information on the account
// that was added or deleted from an alias.
//
typedef struct _SAM_ALIAS_MEMBER_ID {
PSID MemberSid;
} SAM_ALIAS_MEMBER_ID, *PSAM_ALIAS_MEMBER_ID;
//
// Define the data type used to pass netlogon information on a delta
//
typedef union _SAM_DELTA_DATA {
//
// Delta type ChangeMember{Add/Del/Set} and account type group
//
SAM_GROUP_MEMBER_ID GroupMemberId;
//
// Delta type ChangeMember{Add/Del/Set} and account type alias
//
SAM_ALIAS_MEMBER_ID AliasMemberId;
//
// Delta type AddOrChange and account type User
//
ULONG AccountControl;
} SAM_DELTA_DATA, *PSAM_DELTA_DATA;
//
// Prototype for delta notification routine.
//
typedef NTSTATUS (*PSAM_DELTA_NOTIFICATION_ROUTINE) (
IN PSID DomainSid,
IN SECURITY_DB_DELTA_TYPE DeltaType,
IN SECURITY_DB_OBJECT_TYPE ObjectType,
IN ULONG ObjectRid,
IN OPTIONAL PUNICODE_STRING ObjectName,
IN PLARGE_INTEGER ModifiedCount,
IN PSAM_DELTA_DATA DeltaData OPTIONAL
);
#define SAM_DELTA_NOTIFY_ROUTINE "DeltaNotify"
//////////////////////////////////////////////////////////////////
// //
// Structure and ProtoType for RAS User Parameters //
// //
//////////////////////////////////////////////////////////////////
// Flags used by SAM UserParms Migration
// indicate UserParmsConvert is called during upgrade.
#define SAM_USERPARMS_DURING_UPGRADE 0x00000001
typedef struct _SAM_USERPARMS_ATTRVALS {
ULONG length; // length of the attribute.
PVOID value; // pointer to the value.
} SAM_USERPARMS_ATTRVALS, *PSAM_USERPARMS_ATTRVALS; // describes one value of the attribute.
typedef enum _SAM_USERPARMS_ATTRSYNTAX {
Syntax_Attribute = 1,
Syntax_EncryptedAttribute
} SAM_USERPARMS_ATTRSYNTAX; // indicates whether attributes are encrypted or not.
typedef struct _SAM_USERPARMS_ATTR {
UNICODE_STRING AttributeIdentifier; // This will be the LDAP display name of the attribute.
// SAM will perform the translation to attribute ID.
// unless the specified syntax is type EncryptedAttribute,
// in which case it is packaged as part of supplemental
// credentials blob and the name identifes the package name.
// Encrypted attribute will be supplied in the clear ie decrypted.
SAM_USERPARMS_ATTRSYNTAX Syntax;
ULONG CountOfValues; // The count of values in the attribute.
SAM_USERPARMS_ATTRVALS * Values; // pointer to an array of values representing the data
// values of the attribute.
} SAM_USERPARMS_ATTR, *PSAM_USERPARMS_ATTR; // describes an attribute and the set of values associated with it.
typedef struct _SAM_USERPARMS_ATTRBLOCK {
ULONG attCount;
SAM_USERPARMS_ATTR * UserParmsAttr;
} SAM_USERPARMS_ATTRBLOCK, *PSAM_USERPARMS_ATTRBLOCK; // describes an array of attributes
typedef NTSTATUS (*PSAM_USERPARMS_CONVERT_NOTIFICATION_ROUTINE) (
IN ULONG Flags,
IN PSID DomainSid,
IN ULONG ObjectRid, // identifies the object
IN ULONG UserParmsLengthOrig,
IN PVOID UserParmsOrig,
IN ULONG UserParmsLengthNew,
IN PVOID UserParmsNew,
OUT PSAM_USERPARMS_ATTRBLOCK * UserParmsAttrBlock
);
#define SAM_USERPARMS_CONVERT_NOTIFICATION_ROUTINE "UserParmsConvert"
typedef VOID (*PSAM_USERPARMS_ATTRBLOCK_FREE_ROUTINE) (
IN PSAM_USERPARMS_ATTRBLOCK UserParmsAttrBlock
);
#define SAM_USERPARMS_ATTRBLOCK_FREE_ROUTINE "UserParmsFree"
//////////////////////////////////////////////////////////////////
// //
// Return Values for Compatiblity Mode //
// //
//////////////////////////////////////////////////////////////////
// All SAM attributes are accessible
#define SAM_SID_COMPATIBILITY_ALL 0
// Rid field can be returned to caller as 0
// No writes to PrimaryGroupId allowed
#define SAM_SID_COMPATIBILITY_LAX 1
// NET API Information levels that ask for RID are to failed
// No writes to PrimaryGroupId allowed
#define SAM_SID_COMPATIBILITY_STRICT 2
///////////////////////////////////////////////////////////////////////////////
// //
// APIs Exported By SAM //
// //
///////////////////////////////////////////////////////////////////////////////
NTSTATUS
SamFreeMemory(
IN PVOID Buffer
);
NTSTATUS
SamSetSecurityObject(
IN SAM_HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
);
NTSTATUS
SamQuerySecurityObject(
IN SAM_HANDLE ObjectHandle,
IN SECURITY_INFORMATION SecurityInformation,
OUT PSECURITY_DESCRIPTOR *SecurityDescriptor
);
NTSTATUS
SamCloseHandle(
IN SAM_HANDLE SamHandle
);
NTSTATUS
SamConnect(
IN PUNICODE_STRING ServerName,
OUT PSAM_HANDLE ServerHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSTATUS
SamShutdownSamServer(
IN SAM_HANDLE ServerHandle
);
NTSTATUS
SamLookupDomainInSamServer(
IN SAM_HANDLE ServerHandle,
IN PUNICODE_STRING Name,
OUT PSID * DomainId
);
NTSTATUS
SamEnumerateDomainsInSamServer(
IN SAM_HANDLE ServerHandle,
IN OUT PSAM_ENUMERATE_HANDLE EnumerationContext,
OUT PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
NTSTATUS
SamOpenDomain(
IN SAM_HANDLE ServerHandle,
IN ACCESS_MASK DesiredAccess,
IN PSID DomainId,
OUT PSAM_HANDLE DomainHandle
);
NTSTATUS
SamQueryInformationDomain(
IN SAM_HANDLE DomainHandle,
IN DOMAIN_INFORMATION_CLASS DomainInformationClass,
OUT PVOID *Buffer
);
NTSTATUS
SamSetInformationDomain(
IN SAM_HANDLE DomainHandle,
IN DOMAIN_INFORMATION_CLASS DomainInformationClass,
IN PVOID DomainInformation
);
NTSTATUS
SamCreateGroupInDomain(
IN SAM_HANDLE DomainHandle,
IN PUNICODE_STRING AccountName,
IN ACCESS_MASK DesiredAccess,
OUT PSAM_HANDLE GroupHandle,
OUT PULONG RelativeId
);
NTSTATUS
SamEnumerateGroupsInDomain(
IN SAM_HANDLE DomainHandle,
IN OUT PSAM_ENUMERATE_HANDLE EnumerationContext,
OUT PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
NTSTATUS
SamCreateUser2InDomain(
IN SAM_HANDLE DomainHandle,
IN PUNICODE_STRING AccountName,
IN ULONG AccountType,
IN ACCESS_MASK DesiredAccess,
OUT PSAM_HANDLE UserHandle,
OUT PULONG GrantedAccess,
OUT PULONG RelativeId
);
NTSTATUS
SamCreateUserInDomain(
IN SAM_HANDLE DomainHandle,
IN PUNICODE_STRING AccountName,
IN ACCESS_MASK DesiredAccess,
OUT PSAM_HANDLE UserHandle,
OUT PULONG RelativeId
);
NTSTATUS
SamEnumerateUsersInDomain(
IN SAM_HANDLE DomainHandle,
IN OUT PSAM_ENUMERATE_HANDLE EnumerationContext,
IN ULONG UserAccountControl,
OUT PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
NTSTATUS
SamCreateAliasInDomain(
IN SAM_HANDLE DomainHandle,
IN PUNICODE_STRING AccountName,
IN ACCESS_MASK DesiredAccess,
OUT PSAM_HANDLE AliasHandle,
OUT PULONG RelativeId
);
NTSTATUS
SamEnumerateAliasesInDomain(
IN SAM_HANDLE DomainHandle,
IN OUT PSAM_ENUMERATE_HANDLE EnumerationContext,
IN PVOID *Buffer,
IN ULONG PreferedMaximumLength,
OUT PULONG CountReturned
);
NTSTATUS
SamGetAliasMembership(
IN SAM_HANDLE DomainHandle,
IN ULONG PassedCount,
IN PSID *Sids,
OUT PULONG MembershipCount,
OUT PULONG *Aliases
);
NTSTATUS
SamLookupNamesInDomain(
IN SAM_HANDLE DomainHandle,
IN ULONG Count,
IN PUNICODE_STRING Names,
OUT PULONG *RelativeIds,
OUT PSID_NAME_USE *Use
);
NTSTATUS
SamLookupIdsInDomain(
IN SAM_HANDLE DomainHandle,
IN ULONG Count,
IN PULONG RelativeIds,
OUT PUNICODE_STRING *Names,
OUT PSID_NAME_USE *Use
);
NTSTATUS
SamOpenGroup(
IN SAM_HANDLE DomainHandle,
IN ACCESS_MASK DesiredAccess,
IN ULONG GroupId,
OUT PSAM_HANDLE GroupHandle
);
NTSTATUS
SamQueryInformationGroup(
IN SAM_HANDLE GroupHandle,
IN GROUP_INFORMATION_CLASS GroupInformationClass,
OUT PVOID *Buffer
);
NTSTATUS
SamSetInformationGroup(
IN SAM_HANDLE GroupHandle,
IN GROUP_INFORMATION_CLASS GroupInformationClass,
IN PVOID Buffer
);
NTSTATUS
SamAddMemberToGroup(
IN SAM_HANDLE GroupHandle,
IN ULONG MemberId,
IN ULONG Attributes
);
NTSTATUS
SamDeleteGroup(
IN SAM_HANDLE GroupHandle
);
NTSTATUS
SamRemoveMemberFromGroup(
IN SAM_HANDLE GroupHandle,
IN ULONG MemberId
);
NTSTATUS
SamGetMembersInGroup(
IN SAM_HANDLE GroupHandle,
OUT PULONG * MemberIds,
OUT PULONG * Attributes,
OUT PULONG MemberCount
);
NTSTATUS
SamSetMemberAttributesOfGroup(
IN SAM_HANDLE GroupHandle,
IN ULONG MemberId,
IN ULONG Attributes
);
NTSTATUS
SamOpenAlias(
IN SAM_HANDLE DomainHandle,
IN ACCESS_MASK DesiredAccess,
IN ULONG AliasId,
OUT PSAM_HANDLE AliasHandle
);
NTSTATUS
SamQueryInformationAlias(
IN SAM_HANDLE AliasHandle,
IN ALIAS_INFORMATION_CLASS AliasInformationClass,
OUT PVOID *Buffer
);
NTSTATUS
SamSetInformationAlias(
IN SAM_HANDLE AliasHandle,
IN ALIAS_INFORMATION_CLASS AliasInformationClass,
IN PVOID Buffer
);
NTSTATUS
SamDeleteAlias(
IN SAM_HANDLE AliasHandle
);
NTSTATUS
SamAddMemberToAlias(
IN SAM_HANDLE AliasHandle,
IN PSID MemberId
);
NTSTATUS
SamAddMultipleMembersToAlias(
IN SAM_HANDLE AliasHandle,
IN PSID *MemberIds,
IN ULONG MemberCount
);
NTSTATUS
SamRemoveMemberFromAlias(
IN SAM_HANDLE AliasHandle,
IN PSID MemberId
);
NTSTATUS
SamRemoveMultipleMembersFromAlias(
IN SAM_HANDLE AliasHandle,
IN PSID *MemberIds,
IN ULONG MemberCount
);
NTSTATUS
SamRemoveMemberFromForeignDomain(
IN SAM_HANDLE DomainHandle,
IN PSID MemberId
);
NTSTATUS
SamGetMembersInAlias(
IN SAM_HANDLE AliasHandle,
OUT PSID **MemberIds,
OUT PULONG MemberCount
);
NTSTATUS
SamOpenUser(
IN SAM_HANDLE DomainHandle,
IN ACCESS_MASK DesiredAccess,
IN ULONG UserId,
OUT PSAM_HANDLE UserHandle
);
NTSTATUS
SamDeleteUser(
IN SAM_HANDLE UserHandle
);
NTSTATUS
SamQueryInformationUser(
IN SAM_HANDLE UserHandle,
IN USER_INFORMATION_CLASS UserInformationClass,
OUT PVOID * Buffer
);
NTSTATUS
SamSetInformationUser(
IN SAM_HANDLE UserHandle,
IN USER_INFORMATION_CLASS UserInformationClass,
IN PVOID Buffer
);
NTSTATUS
SamChangePasswordUser(
IN SAM_HANDLE UserHandle,
IN PUNICODE_STRING OldPassword,
IN PUNICODE_STRING NewPassword
);
NTSTATUS
SamChangePasswordUser2(
IN PUNICODE_STRING ServerName,
IN PUNICODE_STRING UserName,
IN PUNICODE_STRING OldPassword,
IN PUNICODE_STRING NewPassword
);
NTSTATUS
SamChangePasswordUser3(
IN PUNICODE_STRING ServerName,
IN PUNICODE_STRING UserName,
IN PUNICODE_STRING OldPassword,
IN PUNICODE_STRING NewPassword,
OUT PDOMAIN_PASSWORD_INFORMATION * EffectivePasswordPolicy,
OUT PUSER_PWD_CHANGE_FAILURE_INFORMATION *PasswordChangeFailureInfo
);
NTSTATUS
SamGetGroupsForUser(
IN SAM_HANDLE UserHandle,
OUT PGROUP_MEMBERSHIP * Groups,
OUT PULONG MembershipCount
);
NTSTATUS
SamQueryDisplayInformation (
IN SAM_HANDLE DomainHandle,
IN DOMAIN_DISPLAY_INFORMATION DisplayInformation,
IN ULONG Index,
IN ULONG EntryCount,
IN ULONG PreferredMaximumLength,
OUT PULONG TotalAvailable,
OUT PULONG TotalReturned,
OUT PULONG ReturnedEntryCount,
OUT PVOID *SortedBuffer
);
NTSTATUS
SamGetDisplayEnumerationIndex (
IN SAM_HANDLE DomainHandle,
IN DOMAIN_DISPLAY_INFORMATION DisplayInformation,
IN PUNICODE_STRING Prefix,
OUT PULONG Index
);
NTSTATUS
SamRidToSid(
IN SAM_HANDLE ObjectHandle,
IN ULONG Rid,
OUT PSID* Sid
);
NTSTATUS
SamGetCompatibilityMode(
IN SAM_HANDLE ObjectHandle,
OUT ULONG* Mode
);
////////////////////////////////////////////////////////////////////////////
// //
// Interface definitions of services provided by a password filter DLL //
// //
////////////////////////////////////////////////////////////////////////////
//
// Routine names
//
// The routines provided by the DLL must be assigned the following names
// so that their addresses can be retrieved when the DLL is loaded.
//
//
// routine templates
//
//
// These guards are in place to allow ntsam.h and ntsecapi.h
// to be included in the same file.
//
// begin_ntsecapi
#ifndef _PASSWORD_NOTIFICATION_DEFINED
#define _PASSWORD_NOTIFICATION_DEFINED
typedef NTSTATUS (*PSAM_PASSWORD_NOTIFICATION_ROUTINE) (
PUNICODE_STRING UserName,
ULONG RelativeId,
PUNICODE_STRING NewPassword
);
#define SAM_PASSWORD_CHANGE_NOTIFY_ROUTINE "PasswordChangeNotify"
typedef BOOLEAN (*PSAM_INIT_NOTIFICATION_ROUTINE) (
);
#define SAM_INIT_NOTIFICATION_ROUTINE "InitializeChangeNotify"
#define SAM_PASSWORD_FILTER_ROUTINE "PasswordFilter"
typedef BOOLEAN (*PSAM_PASSWORD_FILTER_ROUTINE) (
IN PUNICODE_STRING AccountName,
IN PUNICODE_STRING FullName,
IN PUNICODE_STRING Password,
IN BOOLEAN SetOperation
);
#endif // _PASSWORD_NOTIFICATION_DEFINED
// end_ntsecapi
// begin_ntsecpkg
#ifndef _SAM_CREDENTIAL_UPDATE_DEFINED
#define _SAM_CREDENTIAL_UPDATE_DEFINED
typedef NTSTATUS (*PSAM_CREDENTIAL_UPDATE_NOTIFY_ROUTINE) (
IN PUNICODE_STRING ClearPassword,
IN PVOID OldCredentials,
IN ULONG OldCredentialSize,
IN ULONG UserAccountControl,
IN PUNICODE_STRING UPN, OPTIONAL
IN PUNICODE_STRING UserName,
IN PUNICODE_STRING NetbiosDomainName,
IN PUNICODE_STRING DnsDomainName,
OUT PVOID * NewCredentials,
OUT ULONG * NewCredentialSize
);
#define SAM_CREDENTIAL_UPDATE_NOTIFY_ROUTINE "CredentialUpdateNotify"
typedef BOOLEAN (*PSAM_CREDENTIAL_UPDATE_REGISTER_ROUTINE) (
OUT PUNICODE_STRING CredentialName
);
#define SAM_CREDENTIAL_UPDATE_REGISTER_ROUTINE "CredentialUpdateRegister"
typedef VOID (*PSAM_CREDENTIAL_UPDATE_FREE_ROUTINE) (
IN PVOID p
);
#define SAM_CREDENTIAL_UPDATE_FREE_ROUTINE "CredentialUpdateFree"
#endif // _SAM_CREDENTIAL_UPDATE_DEFINED
// end_ntsecpkg
#ifdef __cplusplus
}
#endif
#endif // _NTSAM_
Reference in a new issue View git blame Copy permalink