3.1.5.3.3 ModifyObject Method (Opnum 8)

  • Article

The ModifyObject method executes an LDAP command to add, delete, or modify attributes of a specified Active Directory object. The command MUST be executed under machine security credentials, or for a cluster, under the specified network name credentials in order to modify an Active Directory object that has a specific distinguished name and attributes.<56>

 HRESULT ModifyObject(
   [in] BSTR domainControllerName,
   [in] BSTR distinguishedName,
   [in] SAFEARRAY (_AdAttributeData)* attributes,
   [in] BSTR networkNameResourceName
 );

domainControllerName: MUST be the FQDN of the domain controller to which the method sends the LDAP request.

distinguishedName: MUST be the distinguished name of the Active Directory object that is being modified. The distinguished name of any object in Active Directory MAY be used. The format of the distinguished name is specified in [RFC2251] section 4.1.3.  <57>

attributes: MUST be the safe array of attributes that are to be added, modified, or deleted.

networkNameResourceName: MUST be the name of the cluster resource (the resource type MUST be "Network Name"). If this parameter is a non-empty string, the server MUST execute the LDAP command under the account that corresponds to this network name. There are no constraints regarding the format of the network name except the requirement that its length be no more than 32,767 characters. Otherwise, if this parameter is NULL or an empty string, the server MUST use the machine account to execute the LDAP command.

Return Values: The method MUST return:

  • Zero on success.

  • For LDAP protocol failures:

    • If the LDAP error is LDAP_OPERATIONS_ERROR, dfsrHelperLdapErrorBase + the server-side error code.

    • For all other LDAP errors, dfsrHelperLdapErrorBase + the LDAP return code. For more information, see [LDAP-ERR].

  • For all other failures, an implementation-specific nonzero HRESULT error code, as specified in [MS-ERREF] section 2.1, between 0x80000000 and 0xFFFFFFFF. For protocol purposes, all nonzero values MUST be treated as equivalent failures.

The server MUST handle this message by using the same sequence of steps as for IADProxy::ModifyObject (as specified in section 3.1.5.2.3), with the following additional step:

  • The server MUST execute the LDAP command under the credentials that correspond to the network resource name that is supplied in the networkNameResourceName parameter.