[MS-SAMR]:

Security Account Manager (SAM) Remote Protocol (Client-to-Server)

Intellectual Property Rights Notice for Open Specifications Documentation

§  Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions.

§  Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation.

§  No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

§  Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .

§  License Programs. To see all of the protocols in scope under a specific license program and the associated patents, visit the Patent Map.

§  Trademarks. The names of companies and products contained in this documentation might be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit www.microsoft.com/trademarks.

§  Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events that are depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than as specifically described above, whether by implication, estoppel, or otherwise.

Tools. The Open Specifications documentation does not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments, you are free to take advantage of them. Certain Open Specifications documents are intended for use in conjunction with publicly available standards specifications and network programming art and, as such, assume that the reader either is familiar with the aforementioned material or has immediate access to it.

Support. For questions and support, please contact .

Revision Summary

Date / Revision History / Revision Class / Comments /
2/22/2007 / 0.01 / New / Version 0.01 release
6/1/2007 / 1.0 / Major / Updated and revised the technical content.
7/3/2007 / 2.0 / Major / Added example.
7/20/2007 / 3.0 / Major / Rewrite of keying algorithms; clarification of user account enabling.
8/10/2007 / 3.0.1 / Editorial / Changed language and formatting in the technical content.
9/28/2007 / 3.0.2 / Editorial / Changed language and formatting in the technical content.
10/23/2007 / 3.1 / Minor / Clarified the meaning of the technical content.
11/30/2007 / 3.2 / Minor / Clarified the meaning of the technical content.
1/25/2008 / 4.0 / Major / Updated and revised the technical content.
3/14/2008 / 4.1 / Minor / Clarified the meaning of the technical content.
5/16/2008 / 4.1.1 / Editorial / Changed language and formatting in the technical content.
6/20/2008 / 5.0 / Major / Updated and revised the technical content.
7/25/2008 / 6.0 / Major / Updated and revised the technical content.
8/29/2008 / 7.0 / Major / Updated and revised the technical content.
10/24/2008 / 8.0 / Major / Updated and revised the technical content.
12/5/2008 / 9.0 / Major / Updated and revised the technical content.
1/16/2009 / 10.0 / Major / Updated and revised the technical content.
2/27/2009 / 11.0 / Major / Updated and revised the technical content.
4/10/2009 / 12.0 / Major / Updated and revised the technical content.
5/22/2009 / 13.0 / Major / Updated and revised the technical content.
7/2/2009 / 14.0 / Major / Updated and revised the technical content.
8/14/2009 / 15.0 / Major / Updated and revised the technical content.
9/25/2009 / 16.0 / Major / Updated and revised the technical content.
11/6/2009 / 17.0 / Major / Updated and revised the technical content.
12/18/2009 / 18.0 / Major / Updated and revised the technical content.
1/29/2010 / 19.0 / Major / Updated and revised the technical content.
3/12/2010 / 20.0 / Major / Updated and revised the technical content.
4/23/2010 / 21.0 / Major / Updated and revised the technical content.
6/4/2010 / 22.0 / Major / Updated and revised the technical content.
7/16/2010 / 23.0 / Major / Updated and revised the technical content.
8/27/2010 / 23.1 / Minor / Clarified the meaning of the technical content.
10/8/2010 / 24.0 / Major / Updated and revised the technical content.
11/19/2010 / 25.0 / Major / Updated and revised the technical content.
1/7/2011 / 26.0 / Major / Updated and revised the technical content.
2/11/2011 / 27.0 / Major / Updated and revised the technical content.
3/25/2011 / 28.0 / Major / Updated and revised the technical content.
5/6/2011 / 29.0 / Major / Updated and revised the technical content.
6/17/2011 / 29.1 / Minor / Clarified the meaning of the technical content.
9/23/2011 / 30.0 / Major / Updated and revised the technical content.
12/16/2011 / 31.0 / Major / Updated and revised the technical content.
3/30/2012 / 31.0 / None / No changes to the meaning, language, or formatting of the technical content.
7/12/2012 / 31.1 / Minor / Clarified the meaning of the technical content.
10/25/2012 / 32.0 / Major / Updated and revised the technical content.
1/31/2013 / 33.0 / Major / Updated and revised the technical content.
8/8/2013 / 34.0 / Major / Updated and revised the technical content.
11/14/2013 / 34.0 / None / No changes to the meaning, language, or formatting of the technical content.
2/13/2014 / 34.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/15/2014 / 34.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/30/2015 / 35.0 / Major / Significantly changed the technical content.
10/16/2015 / 36.0 / Major / Significantly changed the technical content.
7/14/2016 / 37.0 / Major / Significantly changed the technical content.
6/1/2017 / 38.0 / Major / Significantly changed the technical content.

Table of Contents

1 Introduction 11

1.1 Glossary 11

1.2 References 15

1.2.1 Normative References 15

1.2.2 Informative References 17

1.3 Overview 17

1.3.1 Object-Based Perspective 18

1.3.2 Method-Based Perspective 21

1.4 Relationship to Other Protocols 25

1.5 Prerequisites/Preconditions 26

1.6 Applicability Statement 26

1.7 Versioning and Capability Negotiation 26

1.7.1 Method Introduction 26

1.7.2 Method Versioning 27

1.7.3 Introduction to Information Levels 27

1.8 Vendor-Extensible Fields 27

1.9 Standards Assignments 27

2 Messages 28

2.1 Transport 28

2.2 Common Data Types 28

2.2.1 Constant Value Definitions 29

2.2.1.1 Common ACCESS_MASK Values 29

2.2.1.2 Generic ACCESS_MASK Values 29

2.2.1.3 Server ACCESS_MASK Values 30

2.2.1.4 Domain ACCESS_MASK Values 30

2.2.1.5 Group ACCESS_MASK Values 31

2.2.1.6 Alias ACCESS_MASK Values 32

2.2.1.7 User ACCESS_MASK Values 33

2.2.1.8 USER_ALL Values 34

2.2.1.9 ACCOUNT_TYPE Values 35

2.2.1.10 SE_GROUP Attributes 36

2.2.1.11 GROUP_TYPE Codes 37

2.2.1.12 USER_ACCOUNT Codes 37

2.2.1.13 UF_FLAG Codes 39

2.2.1.14 Predefined RIDs 40

2.2.1.15 STATUS_ Codes 41

2.2.1.16 Transport Error Code 41

2.2.1.17 AD ACCESS_MASK 42

2.2.2 Basic Data Types 42

2.2.2.1 RPC_STRING, PRPC_STRING 42

2.2.2.2 OLD_LARGE_INTEGER 42

2.2.2.3 SID_NAME_USE 43

2.2.2.4 RPC_SHORT_BLOB 43

2.2.3 Miscellaneous Protocol-Specific Types 44

2.2.3.1 PSAMPR_SERVER_NAME 44

2.2.3.2 SAMPR_HANDLE 44

2.2.3.3 ENCRYPTED_LM_OWF_PASSWORD, ENCRYPTED_NT_OWF_PASSWORD 44

2.2.3.4 SAMPR_ULONG_ARRAY 45

2.2.3.5 SAMPR_SID_INFORMATION 45

2.2.3.6 SAMPR_PSID_ARRAY 45

2.2.3.7 SAMPR_PSID_ARRAY_OUT 45

2.2.3.8 SAMPR_RETURNED_USTRING_ARRAY 46

2.2.3.9 SAMPR_RID_ENUMERATION 46

2.2.3.10 SAMPR_ENUMERATION_BUFFER 46

2.2.3.11 SAMPR_SR_SECURITY_DESCRIPTOR 46

2.2.3.12 GROUP_MEMBERSHIP 47

2.2.3.13 SAMPR_GET_GROUPS_BUFFER 47

2.2.3.14 SAMPR_GET_MEMBERS_BUFFER 47

2.2.3.15 SAMPR_REVISION_INFO_V1 48

2.2.3.16 SAMPR_REVISION_INFO 48

2.2.3.17 USER_DOMAIN_PASSWORD_INFORMATION 48

2.2.4 Domain Query/Set Data Types 49

2.2.4.1 Domain Fields 49

2.2.4.2 DOMAIN_SERVER_ENABLE_STATE 51

2.2.4.3 DOMAIN_STATE_INFORMATION 51

2.2.4.4 DOMAIN_SERVER_ROLE 51

2.2.4.5 DOMAIN_PASSWORD_INFORMATION 51

2.2.4.6 DOMAIN_LOGOFF_INFORMATION 52

2.2.4.7 DOMAIN_SERVER_ROLE_INFORMATION 52

2.2.4.8 DOMAIN_MODIFIED_INFORMATION 52

2.2.4.9 DOMAIN_MODIFIED_INFORMATION2 52

2.2.4.10 SAMPR_DOMAIN_GENERAL_INFORMATION 53

2.2.4.11 SAMPR_DOMAIN_GENERAL_INFORMATION2 53

2.2.4.12 SAMPR_DOMAIN_OEM_INFORMATION 54

2.2.4.13 SAMPR_DOMAIN_NAME_INFORMATION 54

2.2.4.14 SAMPR_DOMAIN_REPLICATION_INFORMATION 54

2.2.4.15 SAMPR_DOMAIN_LOCKOUT_INFORMATION 54

2.2.4.16 DOMAIN_INFORMATION_CLASS 54

2.2.4.17 SAMPR_DOMAIN_INFO_BUFFER 55

2.2.5 Group Query/Set Data Types 56

2.2.5.1 Common Group Fields 56

2.2.5.2 GROUP_ATTRIBUTE_INFORMATION 57

2.2.5.3 SAMPR_GROUP_GENERAL_INFORMATION 57

2.2.5.4 SAMPR_GROUP_NAME_INFORMATION 57

2.2.5.5 SAMPR_GROUP_ADM_COMMENT_INFORMATION 57

2.2.5.6 GROUP_INFORMATION_CLASS 57

2.2.5.7 SAMPR_GROUP_INFO_BUFFER 58

2.2.6 Alias Query/Set Data Types 58

2.2.6.1 Common Alias Fields 59

2.2.6.2 SAMPR_ALIAS_GENERAL_INFORMATION 59

2.2.6.3 SAMPR_ALIAS_NAME_INFORMATION 59

2.2.6.4 SAMPR_ALIAS_ADM_COMMENT_INFORMATION 59

2.2.6.5 ALIAS_INFORMATION_CLASS 60

2.2.6.6 SAMPR_ALIAS_INFO_BUFFER 60

2.2.7 User Query/Set Data Types 60

2.2.7.1 Common User Fields 61

2.2.7.2 USER_PRIMARY_GROUP_INFORMATION 62

2.2.7.3 USER_CONTROL_INFORMATION 62

2.2.7.4 USER_EXPIRES_INFORMATION 63

2.2.7.5 SAMPR_LOGON_HOURS 63

2.2.7.6 SAMPR_USER_ALL_INFORMATION 63

2.2.7.7 SAMPR_USER_GENERAL_INFORMATION 65

2.2.7.8 SAMPR_USER_PREFERENCES_INFORMATION 65

2.2.7.9 SAMPR_USER_PARAMETERS_INFORMATION 65

2.2.7.10 SAMPR_USER_LOGON_INFORMATION 65

2.2.7.11 SAMPR_USER_ACCOUNT_INFORMATION 66

2.2.7.12 SAMPR_USER_A_NAME_INFORMATION 66

2.2.7.13 SAMPR_USER_F_NAME_INFORMATION 66

2.2.7.14 SAMPR_USER_NAME_INFORMATION 67

2.2.7.15 SAMPR_USER_HOME_INFORMATION 67

2.2.7.16 SAMPR_USER_SCRIPT_INFORMATION 67

2.2.7.17 SAMPR_USER_PROFILE_INFORMATION 67

2.2.7.18 SAMPR_USER_ADMIN_COMMENT_INFORMATION 68

2.2.7.19 SAMPR_USER_WORKSTATIONS_INFORMATION 68

2.2.7.20 SAMPR_USER_LOGON_HOURS_INFORMATION 68

2.2.7.21 SAMPR_ENCRYPTED_USER_PASSWORD 68

2.2.7.22 SAMPR_ENCRYPTED_USER_PASSWORD_NEW 69

2.2.7.23 SAMPR_USER_INTERNAL1_INFORMATION 70

2.2.7.24 SAMPR_USER_INTERNAL4_INFORMATION 70

2.2.7.25 SAMPR_USER_INTERNAL4_INFORMATION_NEW 70

2.2.7.26 SAMPR_USER_INTERNAL5_INFORMATION 71

2.2.7.27 SAMPR_USER_INTERNAL5_INFORMATION_NEW 71

2.2.7.28 USER_INFORMATION_CLASS 71

2.2.7.29 SAMPR_USER_INFO_BUFFER 73

2.2.8 Selective Enumerate Associated Structures 74

2.2.8.1 Common Selective Enumerate Fields 74

2.2.8.2 SAMPR_DOMAIN_DISPLAY_USER 75

2.2.8.3 SAMPR_DOMAIN_DISPLAY_MACHINE 75

2.2.8.4 SAMPR_DOMAIN_DISPLAY_GROUP 75

2.2.8.5 SAMPR_DOMAIN_DISPLAY_OEM_USER 76

2.2.8.6 SAMPR_DOMAIN_DISPLAY_OEM_GROUP 76

2.2.8.7 SAMPR_DOMAIN_DISPLAY_USER_BUFFER 76

2.2.8.8 SAMPR_DOMAIN_DISPLAY_MACHINE_BUFFER 77

2.2.8.9 SAMPR_DOMAIN_DISPLAY_GROUP_BUFFER 77

2.2.8.10 SAMPR_DOMAIN_DISPLAY_OEM_USER_BUFFER 77

2.2.8.11 SAMPR_DOMAIN_DISPLAY_OEM_GROUP_BUFFER 77

2.2.8.12 DOMAIN_DISPLAY_INFORMATION 78

2.2.8.13 SAMPR_DISPLAY_INFO_BUFFER 78

2.2.9 SamrValidatePassword Data Types 79

2.2.9.1 SAM_VALIDATE_PASSWORD_HASH 79

2.2.9.2 SAM_VALIDATE_PERSISTED_FIELDS 79

2.2.9.3 SAM_VALIDATE_VALIDATION_STATUS 80

2.2.9.4 SAM_VALIDATE_STANDARD_OUTPUT_ARG 81

2.2.9.5 SAM_VALIDATE_AUTHENTICATION_INPUT_ARG 81

2.2.9.6 SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG 82

2.2.9.7 SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG 82

2.2.9.8 PASSWORD_POLICY_VALIDATION_TYPE 83

2.2.9.9 SAM_VALIDATE_INPUT_ARG 83

2.2.9.10 SAM_VALIDATE_OUTPUT_ARG 83

2.2.10 Supplemental Credentials Structures 84

2.2.10.1 USER_PROPERTIES 84

2.2.10.2 USER_PROPERTY 85

2.2.10.3 Primary:WDigest - WDIGEST_CREDENTIALS 85

2.2.10.4 Primary:Kerberos - KERB_STORED_CREDENTIAL 89

2.2.10.5 KERB_KEY_DATA 91

2.2.10.6 Primary:Kerberos-Newer-Keys - KERB_STORED_CREDENTIAL_NEW 91

2.2.10.7 KERB_KEY_DATA_NEW 93

2.2.10.8 Kerberos Encryption Algorithm Identifiers 94

2.2.10.9 NTLM-Strong-NTOWF 94

2.2.11 Common Algorithms 94

2.2.11.1 DES-ECB-LM 94

2.2.11.1.1 Encrypting an NT or LM Hash Value with a Specified Key 95

2.2.11.1.2 Encrypting a 64-Bit Block with a 7-Byte Key 95

2.2.11.1.3 Deriving Key1 and Key2 from a Little-Endian, Unsigned Integer Key 96

2.2.11.1.4 Deriving Key1 and Key2 from a 16-Byte Key 96

2.3 Directory Service Schema Elements 96

3 Protocol Details 97

3.1 Server Details 97

3.1.1 Abstract Data Model 97

3.1.1.1 String Handling 98

3.1.1.2 String Matching 98

3.1.1.3 Attribute Listing 99

3.1.1.4 Object Class List 101

3.1.1.5 Password Settings Attributes for Originating Update Constraints 101

3.1.1.6 Attribute Constraints for Originating Updates 102

3.1.1.7 Additional Update Constraints 106

3.1.1.7.1 General Password Policy 106

3.1.1.7.2 Cleartext Password Policy 107

3.1.1.8 Attribute Triggers for Originating Updates 110

3.1.1.8.1 objectClass 110

3.1.1.8.2 primaryGroupID 111

3.1.1.8.3 lockoutTime 112

3.1.1.8.4 sAMAccountName 112

3.1.1.8.5 clearTextPassword 112

3.1.1.8.6 dBCSPwd 113

3.1.1.8.7 unicodePwd 113

3.1.1.8.8 pwdLastSet 113

3.1.1.8.9 member 113

3.1.1.8.10 userAccountControl 114

3.1.1.8.11 supplementalCredentials 116

3.1.1.8.11.1 Processing 117

3.1.1.8.11.1.1 USER_PROPERTIES Processing 117

3.1.1.8.11.1.2 USER_PROPERTY Processing 117

3.1.1.8.11.2 Packages Property 117

3.1.1.8.11.3 Primary:WDigest Property 118

3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction 118

3.1.1.8.11.4 Primary:Kerberos Property 119

3.1.1.8.11.5 Primary:CLEARTEXT Property 120

3.1.1.8.11.6 Primary:Kerberos-Newer-Keys Property 120

3.1.1.8.11.7 Primary:NTLM-Strong-NTOWF Property 121

3.1.1.9 Additional Update Triggers 121

3.1.1.9.1 Password History Update 121

3.1.1.9.2 objectSid Value Generation 121

3.1.1.9.2.1 DC Configuration 122

3.1.1.9.2.2 Non-DC Configuration 122

3.1.1.10 SamContextHandle Data Model 123

3.1.2 Security Model 123

3.1.2.1 Standard Handle-Based Access Checks 123

3.1.2.2 AD Access Checks in DC Configuration 129

3.1.2.3 Acquiring an SMB Session Key 129

3.1.3 Timers 129

3.1.4 Initialization 129

3.1.4.1 Default Access 129

3.1.4.2 Default Accounts 129

3.1.5 Message Processing Events and Sequencing Rules 132

3.1.5.1 Open Pattern 137

3.1.5.1.1 SamrConnect5 (Opnum 64) 137

3.1.5.1.2 SamrConnect4 (Opnum 62) 139

3.1.5.1.3 SamrConnect2 (Opnum 57) 140

3.1.5.1.4 SamrConnect (Opnum 0) 140

3.1.5.1.5 SamrOpenDomain (Opnum 7) 141

3.1.5.1.6 Common Processing for Group, Alias, and User 143

3.1.5.1.7 SamrOpenGroup (Opnum 19) 144

3.1.5.1.8 SamrOpenAlias (Opnum 27) 145

3.1.5.1.9 SamrOpenUser (Opnum 34) 147

3.1.5.2 Enumerate Pattern 148

3.1.5.2.1 SamrEnumerateDomainsInSamServer (Opnum 6) 148

3.1.5.2.2 Common Processing for Enumeration of Users, Groups, and Aliases 150

3.1.5.2.3 SamrEnumerateGroupsInDomain (Opnum 11) 151

3.1.5.2.4 SamrEnumerateAliasesInDomain (Opnum 15) 151

3.1.5.2.5 SamrEnumerateUsersInDomain (Opnum 13) 152

3.1.5.3 Selective Enumerate Pattern 153

3.1.5.3.1 SamrQueryDisplayInformation3 (Opnum 51) 153

3.1.5.3.2 SamrQueryDisplayInformation2 (Opnum 48) 155

3.1.5.3.3 SamrQueryDisplayInformation (Opnum 40) 156

3.1.5.3.4 SamrGetDisplayEnumerationIndex2 (Opnum 49) 157

3.1.5.3.5 SamrGetDisplayEnumerationIndex (Opnum 41) 158

3.1.5.4 Create Pattern 159

3.1.5.4.1 Common Processing for Group and Alias Creation 159

3.1.5.4.2 SamrCreateGroupInDomain (Opnum 10) 159

3.1.5.4.3 SamrCreateAliasInDomain (Opnum 14) 160

3.1.5.4.4 SamrCreateUser2InDomain (Opnum 50) 161

3.1.5.4.5 SamrCreateUserInDomain (Opnum 12) 163

3.1.5.5 Query Pattern 164

3.1.5.5.1 SamrQueryInformationDomain2 (Opnum 46) 164

3.1.5.5.1.1 DomainGeneralInformation 165

3.1.5.5.1.2 DomainServerRoleInformation 166

3.1.5.5.1.3 DomainStateInformation 166

3.1.5.5.1.4 DomainGeneralInformation2 166

3.1.5.5.2 SamrQueryInformationDomain (Opnum 8) 166

3.1.5.5.3 SamrQueryInformationGroup (Opnum 20) 167

3.1.5.5.3.1 GroupReplicationInformation 168

3.1.5.5.4 SamrQueryInformationAlias (Opnum 28) 168

3.1.5.5.5 SamrQueryInformationUser2 (Opnum 47) 169

3.1.5.5.5.1 Common Processing 170

3.1.5.5.5.2 UserAllInformation 171

3.1.5.5.6 SamrQueryInformationUser (Opnum 36) 172

3.1.5.6 Set Pattern 172

3.1.5.6.1 SamrSetInformationDomain (Opnum 9) 173

3.1.5.6.1.1 DomainServerRoleInformation 174

3.1.5.6.1.2 DomainStateInformation 174