4.1.30.2.1 AccessCheckWriteToKeyCredentialLinkAttribute
-
procedure AccessCheckWriteToKeyCredentialLinkAttribute ( obj: DSName, newValue: boolean) : ULONG
The AccessCheckWriteToKeyCredentialLinkAttribute procedure performs an access check to determine if the client security context, which MUST be retrieved using the method described in [MS-RPCE] section 3.3.3.4.3, has the right to modify the msDS-KeyCredentialLink attribute of object obj taking into consideration both regular and extended write property rights.
-
if AccessCheckAttr(obj, msDS-KeyCredentialLink, RIGHT_DS_WRITE_PROPERTY) then return ERROR_SUCCESS else if AccessCheckAttr(obj, msDS-KeyCredentialLink, RIGHT_DS_WRITE_PROPERTY_EXTENDED) then /* Extended write access permits the attribute to be written */ * provided certain constraints are met. */ isSelf: boolean existingValue: boolean if (!(computer in obj!objectClass)) return ERROR_DS_INSUFF_ACCESS_RIGHTS endif if (obj!ObjectSid = ClientAuthorizationInfo!UserSid) isSelf := true else isSelf := false endif if (obj!msDS-KeyCredentialLink = NULL) existingValue := false else existingValue := true endif if (!isSelf && newValue) return ERROR_DS_INSUFF_ACCESS_RIGHTS endif if (newValue && existingValue) return ERROR_DS_INSUFF_ACCESS_RIGHTS endif return ERROR_SUCCESS endif