[MS-SAMR]:
Security Account Manager (SAM) Remote Protocol (Client-to-Server)
Intellectual Property Rights Notice for Open Specifications Documentation
§ Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies.
§ Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL's, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications.
§ No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
§ Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft Open Specification Promise or the Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .
§ Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit www.microsoft.com/trademarks.
§ Fictitious Names. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than specifically described above, whether by implication, estoppel, or otherwise.
Tools. The Open Specifications do not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments you are free to take advantage of them. Certain Open Specifications are intended for use in conjunction with publicly available standard specifications and network programming art, and assumes that the reader either is familiar with the aforementioned material or has immediate access to it.
Revision Summary
Date / Revision History / Revision Class / Comments /2/22/2007 / 0.01 / Version 0.01 release
6/1/2007 / 1.0 / Major / Updated and revised the technical content.
7/3/2007 / 2.0 / Major / Added example.
7/20/2007 / 3.0 / Major / Rewrite of keying algorithms; clarification of user account enabling.
8/10/2007 / 3.0.1 / Editorial / Changed language and formatting in the technical content.
9/28/2007 / 3.0.2 / Editorial / Changed language and formatting in the technical content.
10/23/2007 / 3.1 / Minor / Clarified the meaning of the technical content.
11/30/2007 / 3.2 / Minor / Clarified the meaning of the technical content.
1/25/2008 / 4.0 / Major / Updated and revised the technical content.
3/14/2008 / 4.1 / Minor / Clarified the meaning of the technical content.
5/16/2008 / 4.1.1 / Editorial / Changed language and formatting in the technical content.
6/20/2008 / 5.0 / Major / Updated and revised the technical content.
7/25/2008 / 6.0 / Major / Updated and revised the technical content.
8/29/2008 / 7.0 / Major / Updated and revised the technical content.
10/24/2008 / 8.0 / Major / Updated and revised the technical content.
12/5/2008 / 9.0 / Major / Updated and revised the technical content.
1/16/2009 / 10.0 / Major / Updated and revised the technical content.
2/27/2009 / 11.0 / Major / Updated and revised the technical content.
4/10/2009 / 12.0 / Major / Updated and revised the technical content.
5/22/2009 / 13.0 / Major / Updated and revised the technical content.
7/2/2009 / 14.0 / Major / Updated and revised the technical content.
8/14/2009 / 15.0 / Major / Updated and revised the technical content.
9/25/2009 / 16.0 / Major / Updated and revised the technical content.
11/6/2009 / 17.0 / Major / Updated and revised the technical content.
12/18/2009 / 18.0 / Major / Updated and revised the technical content.
1/29/2010 / 19.0 / Major / Updated and revised the technical content.
3/12/2010 / 20.0 / Major / Updated and revised the technical content.
4/23/2010 / 21.0 / Major / Updated and revised the technical content.
6/4/2010 / 22.0 / Major / Updated and revised the technical content.
7/16/2010 / 23.0 / Major / Updated and revised the technical content.
8/27/2010 / 23.1 / Minor / Clarified the meaning of the technical content.
10/8/2010 / 24.0 / Major / Updated and revised the technical content.
11/19/2010 / 25.0 / Major / Updated and revised the technical content.
1/7/2011 / 26.0 / Major / Updated and revised the technical content.
2/11/2011 / 27.0 / Major / Updated and revised the technical content.
3/25/2011 / 28.0 / Major / Updated and revised the technical content.
5/6/2011 / 29.0 / Major / Updated and revised the technical content.
6/17/2011 / 29.1 / Minor / Clarified the meaning of the technical content.
9/23/2011 / 30.0 / Major / Updated and revised the technical content.
12/16/2011 / 31.0 / Major / Updated and revised the technical content.
3/30/2012 / 31.0 / None / No changes to the meaning, language, or formatting of the technical content.
7/12/2012 / 31.1 / Minor / Clarified the meaning of the technical content.
10/25/2012 / 32.0 / Major / Updated and revised the technical content.
1/31/2013 / 33.0 / Major / Updated and revised the technical content.
8/8/2013 / 34.0 / Major / Updated and revised the technical content.
11/14/2013 / 34.0 / None / No changes to the meaning, language, or formatting of the technical content.
2/13/2014 / 34.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/15/2014 / 34.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/30/2015 / 35.0 / Major / Significantly changed the technical content.
Table of Contents
1 Introduction 11
1.1 Glossary 11
1.2 References 15
1.2.1 Normative References 15
1.2.2 Informative References 17
1.3 Overview 17
1.3.1 Object-Based Perspective 17
1.3.2 Method-Based Perspective 20
1.4 Relationship to Other Protocols 24
1.5 Prerequisites/Preconditions 26
1.6 Applicability Statement 26
1.7 Versioning and Capability Negotiation 26
1.7.1 Method Introduction 26
1.7.2 Method Versioning 26
1.7.3 Introduction to Information Levels 27
1.8 Vendor-Extensible Fields 27
1.9 Standards Assignments 27
2 Messages 28
2.1 Transport 28
2.2 Common Data Types 28
2.2.1 Constant Value Definitions 29
2.2.1.1 Common ACCESS_MASK Values 29
2.2.1.2 Generic ACCESS_MASK Values 29
2.2.1.3 Server ACCESS_MASK Values 30
2.2.1.4 Domain ACCESS_MASK Values 30
2.2.1.5 Group ACCESS_MASK Values 31
2.2.1.6 Alias ACCESS_MASK Values 32
2.2.1.7 User ACCESS_MASK Values 33
2.2.1.8 USER_ALL Values 34
2.2.1.9 ACCOUNT_TYPE Values 35
2.2.1.10 SE_GROUP Attributes 36
2.2.1.11 GROUP_TYPE Codes 36
2.2.1.12 USER_ACCOUNT Codes 37
2.2.1.13 UF_FLAG Codes 38
2.2.1.14 Predefined RIDs 40
2.2.1.15 STATUS_ Codes 41
2.2.1.16 Transport Error Code 41
2.2.1.17 AD ACCESS_MASK 41
2.2.2 Basic Data Types 42
2.2.2.1 RPC_STRING, PRPC_STRING 42
2.2.2.2 OLD_LARGE_INTEGER 42
2.2.2.3 SID_NAME_USE 43
2.2.2.4 RPC_SHORT_BLOB 43
2.2.3 Miscellaneous Protocol-Specific Types 44
2.2.3.1 PSAMPR_SERVER_NAME 44
2.2.3.2 SAMPR_HANDLE 44
2.2.3.3 ENCRYPTED_LM_OWF_PASSWORD, ENCRYPTED_NT_OWF_PASSWORD 44
2.2.3.4 SAMPR_ULONG_ARRAY 44
2.2.3.5 SAMPR_SID_INFORMATION 45
2.2.3.6 SAMPR_PSID_ARRAY 45
2.2.3.7 SAMPR_PSID_ARRAY_OUT 45
2.2.3.8 SAMPR_RETURNED_USTRING_ARRAY 45
2.2.3.9 SAMPR_RID_ENUMERATION 46
2.2.3.10 SAMPR_ENUMERATION_BUFFER 46
2.2.3.11 SAMPR_SR_SECURITY_DESCRIPTOR 46
2.2.3.12 GROUP_MEMBERSHIP 47
2.2.3.13 SAMPR_GET_GROUPS_BUFFER 47
2.2.3.14 SAMPR_GET_MEMBERS_BUFFER 47
2.2.3.15 SAMPR_REVISION_INFO_V1 47
2.2.3.16 SAMPR_REVISION_INFO 48
2.2.3.17 USER_DOMAIN_PASSWORD_INFORMATION 48
2.2.4 Domain Query/Set Data Types 49
2.2.4.1 Domain Fields 49
2.2.4.2 DOMAIN_SERVER_ENABLE_STATE 50
2.2.4.3 DOMAIN_STATE_INFORMATION 51
2.2.4.4 DOMAIN_SERVER_ROLE 51
2.2.4.5 DOMAIN_PASSWORD_INFORMATION 51
2.2.4.6 DOMAIN_LOGOFF_INFORMATION 51
2.2.4.7 DOMAIN_SERVER_ROLE_INFORMATION 52
2.2.4.8 DOMAIN_MODIFIED_INFORMATION 52
2.2.4.9 DOMAIN_MODIFIED_INFORMATION2 52
2.2.4.10 SAMPR_DOMAIN_GENERAL_INFORMATION 52
2.2.4.11 SAMPR_DOMAIN_GENERAL_INFORMATION2 53
2.2.4.12 SAMPR_DOMAIN_OEM_INFORMATION 53
2.2.4.13 SAMPR_DOMAIN_NAME_INFORMATION 54
2.2.4.14 SAMPR_DOMAIN_REPLICATION_INFORMATION 54
2.2.4.15 SAMPR_DOMAIN_LOCKOUT_INFORMATION 54
2.2.4.16 DOMAIN_INFORMATION_CLASS 54
2.2.4.17 SAMPR_DOMAIN_INFO_BUFFER 55
2.2.5 Group Query/Set Data Types 56
2.2.5.1 Common Group Fields 56
2.2.5.2 GROUP_ATTRIBUTE_INFORMATION 56
2.2.5.3 SAMPR_GROUP_GENERAL_INFORMATION 56
2.2.5.4 SAMPR_GROUP_NAME_INFORMATION 57
2.2.5.5 SAMPR_GROUP_ADM_COMMENT_INFORMATION 57
2.2.5.6 GROUP_INFORMATION_CLASS 57
2.2.5.7 SAMPR_GROUP_INFO_BUFFER 58
2.2.6 Alias Query/Set Data Types 58
2.2.6.1 Common Alias Fields 58
2.2.6.2 SAMPR_ALIAS_GENERAL_INFORMATION 59
2.2.6.3 SAMPR_ALIAS_NAME_INFORMATION 59
2.2.6.4 SAMPR_ALIAS_ADM_COMMENT_INFORMATION 59
2.2.6.5 ALIAS_INFORMATION_CLASS 59
2.2.6.6 SAMPR_ALIAS_INFO_BUFFER 60
2.2.7 User Query/Set Data Types 60
2.2.7.1 Common User Fields 60
2.2.7.2 USER_PRIMARY_GROUP_INFORMATION 62
2.2.7.3 USER_CONTROL_INFORMATION 62
2.2.7.4 USER_EXPIRES_INFORMATION 62
2.2.7.5 SAMPR_LOGON_HOURS 63
2.2.7.6 SAMPR_USER_ALL_INFORMATION 63
2.2.7.7 SAMPR_USER_GENERAL_INFORMATION 64
2.2.7.8 SAMPR_USER_PREFERENCES_INFORMATION 64
2.2.7.9 SAMPR_USER_PARAMETERS_INFORMATION 65
2.2.7.10 SAMPR_USER_LOGON_INFORMATION 65
2.2.7.11 SAMPR_USER_ACCOUNT_INFORMATION 65
2.2.7.12 SAMPR_USER_A_NAME_INFORMATION 66
2.2.7.13 SAMPR_USER_F_NAME_INFORMATION 66
2.2.7.14 SAMPR_USER_NAME_INFORMATION 66
2.2.7.15 SAMPR_USER_HOME_INFORMATION 67
2.2.7.16 SAMPR_USER_SCRIPT_INFORMATION 67
2.2.7.17 SAMPR_USER_PROFILE_INFORMATION 67
2.2.7.18 SAMPR_USER_ADMIN_COMMENT_INFORMATION 67
2.2.7.19 SAMPR_USER_WORKSTATIONS_INFORMATION 67
2.2.7.20 SAMPR_USER_LOGON_HOURS_INFORMATION 68
2.2.7.21 SAMPR_ENCRYPTED_USER_PASSWORD 68
2.2.7.22 SAMPR_ENCRYPTED_USER_PASSWORD_NEW 68
2.2.7.23 SAMPR_USER_INTERNAL1_INFORMATION 69
2.2.7.24 SAMPR_USER_INTERNAL4_INFORMATION 70
2.2.7.25 SAMPR_USER_INTERNAL4_INFORMATION_NEW 70
2.2.7.26 SAMPR_USER_INTERNAL5_INFORMATION 70
2.2.7.27 SAMPR_USER_INTERNAL5_INFORMATION_NEW 71
2.2.7.28 USER_INFORMATION_CLASS 71
2.2.7.29 SAMPR_USER_INFO_BUFFER 73
2.2.8 Selective Enumerate Associated Structures 74
2.2.8.1 Common Selective Enumerate Fields 74
2.2.8.2 SAMPR_DOMAIN_DISPLAY_USER 75
2.2.8.3 SAMPR_DOMAIN_DISPLAY_MACHINE 75
2.2.8.4 SAMPR_DOMAIN_DISPLAY_GROUP 75
2.2.8.5 SAMPR_DOMAIN_DISPLAY_OEM_USER 75
2.2.8.6 SAMPR_DOMAIN_DISPLAY_OEM_GROUP 76
2.2.8.7 SAMPR_DOMAIN_DISPLAY_USER_BUFFER 76
2.2.8.8 SAMPR_DOMAIN_DISPLAY_MACHINE_BUFFER 76
2.2.8.9 SAMPR_DOMAIN_DISPLAY_GROUP_BUFFER 77
2.2.8.10 SAMPR_DOMAIN_DISPLAY_OEM_USER_BUFFER 77
2.2.8.11 SAMPR_DOMAIN_DISPLAY_OEM_GROUP_BUFFER 77
2.2.8.12 DOMAIN_DISPLAY_INFORMATION 77
2.2.8.13 SAMPR_DISPLAY_INFO_BUFFER 78
2.2.9 SamrValidatePassword Data Types 78
2.2.9.1 SAM_VALIDATE_PASSWORD_HASH 79
2.2.9.2 SAM_VALIDATE_PERSISTED_FIELDS 79
2.2.9.3 SAM_VALIDATE_VALIDATION_STATUS 80
2.2.9.4 SAM_VALIDATE_STANDARD_OUTPUT_ARG 81
2.2.9.5 SAM_VALIDATE_AUTHENTICATION_INPUT_ARG 81
2.2.9.6 SAM_VALIDATE_PASSWORD_CHANGE_INPUT_ARG 81
2.2.9.7 SAM_VALIDATE_PASSWORD_RESET_INPUT_ARG 82
2.2.9.8 PASSWORD_POLICY_VALIDATION_TYPE 82
2.2.9.9 SAM_VALIDATE_INPUT_ARG 83
2.2.9.10 SAM_VALIDATE_OUTPUT_ARG 83
2.2.10 Supplemental Credentials Structures 83
2.2.10.1 USER_PROPERTIES 84
2.2.10.2 USER_PROPERTY 84
2.2.10.3 Primary:WDigest - WDIGEST_CREDENTIALS 85
2.2.10.4 Primary:Kerberos - KERB_STORED_CREDENTIAL 89
2.2.10.5 KERB_KEY_DATA 90
2.2.10.6 Primary:Kerberos-Newer-Keys - KERB_STORED_CREDENTIAL_NEW 91
2.2.10.7 KERB_KEY_DATA_NEW 93
2.2.10.8 Kerberos Encryption Algorithm Identifiers 93
2.2.11 Common Algorithms 94
2.2.11.1 DES-ECB-LM 94
2.2.11.1.1 Encrypting an NT or LM Hash Value with a Specified Key 94
2.2.11.1.2 Encrypting a 64-Bit Block with a 7-Byte Key 94
2.2.11.1.3 Deriving Key1 and Key2 from a Little-Endian, Unsigned Integer Key 95
2.2.11.1.4 Deriving Key1 and Key2 from a 16-Byte Key 95
2.3 Directory Service Schema Elements 95
3 Protocol Details 97
3.1 Server Details 97
3.1.1 Abstract Data Model 97
3.1.1.1 String Handling 98
3.1.1.2 String Matching 98
3.1.1.3 Attribute Listing 99
3.1.1.4 Object Class List 101
3.1.1.5 Password Settings Attributes for Originating Update Constraints 101
3.1.1.6 Attribute Constraints for Originating Updates 102
3.1.1.7 Additional Update Constraints 106
3.1.1.7.1 General Password Policy 106
3.1.1.7.2 Cleartext Password Policy 107
3.1.1.8 Attribute Triggers for Originating Updates 110
3.1.1.8.1 objectClass 110
3.1.1.8.2 primaryGroupID 111
3.1.1.8.3 lockoutTime 112
3.1.1.8.4 sAMAccountName 112
3.1.1.8.5 clearTextPassword 112
3.1.1.8.6 dBCSPwd 113
3.1.1.8.7 unicodePwd 113
3.1.1.8.8 pwdLastSet 113
3.1.1.8.9 member 113
3.1.1.8.10 userAccountControl 114
3.1.1.8.11 supplementalCredentials 116
3.1.1.8.11.1 Processing 117
3.1.1.8.11.1.1 USER_PROPERTIES Processing 117
3.1.1.8.11.1.2 USER_PROPERTY Processing 117
3.1.1.8.11.2 Packages Property 117
3.1.1.8.11.3 Primary:WDigest Property 118
3.1.1.8.11.3.1 WDIGEST_CREDENTIALS Construction 118
3.1.1.8.11.4 Primary:Kerberos Property 119
3.1.1.8.11.5 Primary:CLEARTEXT Property 120
3.1.1.8.11.6 Primary:Kerberos-Newer-Keys Property 120
3.1.1.9 Additional Update Triggers 120
3.1.1.9.1 Password History Update 120
3.1.1.9.2 objectSid Value Generation 121
3.1.1.9.2.1 DC Configuration 121
3.1.1.9.2.2 Non-DC Configuration 122
3.1.1.10 SamContextHandle Data Model 122
3.1.2 Security Model 123
3.1.2.1 Standard Handle-Based Access Checks 123
3.1.2.2 AD Access Checks in DC Configuration 128
3.1.3 Timers 128
3.1.4 Initialization 129
3.1.4.1 Default Access 129
3.1.4.2 Default Accounts 129
3.1.5 Message Processing Events and Sequencing Rules 132
3.1.5.1 Open Pattern 136
3.1.5.1.1 SamrConnect5 (Opnum 64) 137
3.1.5.1.2 SamrConnect4 (Opnum 62) 138
3.1.5.1.3 SamrConnect2 (Opnum 57) 139
3.1.5.1.4 SamrConnect (Opnum 0) 140
3.1.5.1.5 SamrOpenDomain (Opnum 7) 140
3.1.5.1.6 Common Processing for Group, Alias, and User 143
3.1.5.1.7 SamrOpenGroup (Opnum 19) 144
3.1.5.1.8 SamrOpenAlias (Opnum 27) 145
3.1.5.1.9 SamrOpenUser (Opnum 34) 146
3.1.5.2 Enumerate Pattern 148
3.1.5.2.1 SamrEnumerateDomainsInSamServer (Opnum 6) 148
3.1.5.2.2 Common Processing for Enumeration of Users, Groups, and Aliases 149
3.1.5.2.3 SamrEnumerateGroupsInDomain (Opnum 11) 150
3.1.5.2.4 SamrEnumerateAliasesInDomain (Opnum 15) 151
3.1.5.2.5 SamrEnumerateUsersInDomain (Opnum 13) 152
3.1.5.3 Selective Enumerate Pattern 152
3.1.5.3.1 SamrQueryDisplayInformation3 (Opnum 51) 153
3.1.5.3.2 SamrQueryDisplayInformation2 (Opnum 48) 154
3.1.5.3.3 SamrQueryDisplayInformation (Opnum 40) 155
3.1.5.3.4 SamrGetDisplayEnumerationIndex2 (Opnum 49) 156
3.1.5.3.5 SamrGetDisplayEnumerationIndex (Opnum 41) 157
3.1.5.4 Create Pattern 158
3.1.5.4.1 Common Processing for Group and Alias Creation 158
3.1.5.4.2 SamrCreateGroupInDomain (Opnum 10) 159
3.1.5.4.3 SamrCreateAliasInDomain (Opnum 14) 159
3.1.5.4.4 SamrCreateUser2InDomain (Opnum 50) 160
3.1.5.4.5 SamrCreateUserInDomain (Opnum 12) 162
3.1.5.5 Query Pattern 163
3.1.5.5.1 SamrQueryInformationDomain2 (Opnum 46) 163
3.1.5.5.1.1 DomainGeneralInformation 164
3.1.5.5.1.2 DomainServerRoleInformation 165
3.1.5.5.1.3 DomainStateInformation 165
3.1.5.5.1.4 DomainGeneralInformation2 165
3.1.5.5.2 SamrQueryInformationDomain (Opnum 8) 165
3.1.5.5.3 SamrQueryInformationGroup (Opnum 20) 166
3.1.5.5.3.1 GroupReplicationInformation 167
3.1.5.5.4 SamrQueryInformationAlias (Opnum 28) 167
3.1.5.5.5 SamrQueryInformationUser2 (Opnum 47) 168
3.1.5.5.5.1 Common Processing 169
3.1.5.5.5.2 UserAllInformation 170
3.1.5.5.6 SamrQueryInformationUser (Opnum 36) 171
3.1.5.6 Set Pattern 171
3.1.5.6.1 SamrSetInformationDomain (Opnum 9) 172
3.1.5.6.1.1 DomainServerRoleInformation 172
3.1.5.6.1.2 DomainStateInformation 173
3.1.5.6.1.3 DomainPasswordInformation 173
3.1.5.6.2 SamrSetInformationGroup (Opnum 21) 173
3.1.5.6.3 SamrSetInformationAlias (Opnum 29) 174
3.1.5.6.4 SamrSetInformationUser2 (Opnum 58) 174
3.1.5.6.4.1 Common Processing 175
3.1.5.6.4.2 UserAllInformation (Common) 177
3.1.5.6.4.3 UserAllInformation 179
3.1.5.6.4.4 UserInternal4Information 180
3.1.5.6.4.5 UserInternal4InformationNew 180
3.1.5.6.5 SamrSetInformationUser (Opnum 37) 180
3.1.5.7 Delete Pattern 181
3.1.5.7.1 SamrDeleteGroup (Opnum 23) 181
3.1.5.7.2 SamrDeleteAlias (Opnum 30) 182
3.1.5.7.3 SamrDeleteUser (Opnum 35) 182
3.1.5.8 Membership Pattern 183
3.1.5.8.1 SamrAddMemberToGroup (Opnum 22) 183
3.1.5.8.2 SamrRemoveMemberFromGroup (Opnum 24) 184
3.1.5.8.3 SamrGetMembersInGroup (Opnum 25) 184
3.1.5.8.4 SamrAddMemberToAlias (Opnum 31) 185
3.1.5.8.5 SamrRemoveMemberFromAlias (Opnum 32) 186
3.1.5.8.6 SamrGetMembersInAlias (Opnum 33) 186
3.1.5.8.7 SamrRemoveMemberFromForeignDomain (Opnum 45) 187