4.1.30.2.1 AccessCheckWriteToKeyCredentialLinkAttribute

 procedure AccessCheckWriteToKeyCredentialLinkAttribute (
   obj: DSName,
   newValue: boolean) : ULONG

The AccessCheckWriteToKeyCredentialLinkAttribute procedure performs an access check to determine if the client security context, which MUST be retrieved using the method described in [MS-RPCE] section 3.3.3.4.3, has the right to modify the msDS-KeyCredentialLink attribute of object obj taking into consideration both regular and extended write property rights.

 if AccessCheckAttr(obj,
                    msDS-KeyCredentialLink, 
                    RIGHT_DS_WRITE_PROPERTY) then
   return ERROR_SUCCESS
 else
   if AccessCheckAttr(obj,
                      msDS-KeyCredentialLink,
                      RIGHT_DS_WRITE_PROPERTY_EXTENDED) then
     /* Extended write access permits the attribute to be written */
      * provided certain constraints are met. */
  
     isSelf: boolean
     existingValue: boolean
  
     if (!(computer in obj!objectClass))
       return ERROR_DS_INSUFF_ACCESS_RIGHTS
     endif
  
     if (obj!ObjectSid = ClientAuthorizationInfo!UserSid) 
       isSelf := true
     else
       isSelf := false
     endif
     
     if (obj!msDS-KeyCredentialLink = NULL) 
       existingValue := false
     else
       existingValue := true
     endif
     
     if (!isSelf && newValue)
       return ERROR_DS_INSUFF_ACCESS_RIGHTS
     endif
     
     if (newValue && existingValue) 
       return ERROR_DS_INSUFF_ACCESS_RIGHTS
     endif
     return ERROR_SUCCESS
 endif