4.2.2.3 Server Behavior of the IDL_DSAExecuteScript Method
Informative summary of behavior: The value of the attribute msDS-UpdateScript is executed as a transacted sequence of updates. The RPC call is not authenticated using normal means (that is, it can be performed by an anonymous caller). However, the password value passed by the caller has to match the password that was obtained by a prior call to the IDL_DSAPrepareScript method on the same DC.
-
ULONG IDL_DSAExecuteScript( [in] handle_t hRpc, [in] DWORD dwInVersion, [in, ref, switch_is(dwInVersion)] DSA_MSG_EXECUTE_SCRIPT_REQ *pmsgIn, [out, ref] DWORD *pdwOutVersion, [out, ref, switch_is(*pdwOutVersion)] DSA_MSG_EXECUTE_SCRIPT_REPLY *pmsgOut); pc: DSName msgIn: DSA_MSG_EXECUTE_SCRIPT_REQ_V1 /* returned message is version 1 */ pdwOutVersion^ := 1 pmsgOut^.V1.dwOperationStatus := ERROR_DS_INTERNAL_FAILURE pmsgOut^.V1.pwErrMessage := null /* Validate the version */ if dwInVersion ≠ 1 then return ERROR_INVALID_PARAMETER endif msgIn := pmsgIn^.V1 /* Only 1 instance of this call can be running. */ if ExecuteScriptInProgress() then pmsgOut^.V1.dwOperationStatus := ERROR_ACCESS_DENIED pmsgOut^.V1.pwErrMessage := human-readable description of the error return 0 endif pc := DescendantObject(ConfigNC(), "CN=Partitions,") /* Forest functionality level must be Win2K3 or above */ if pc!msDS-Behavior-Version = null or pc!msDS-Behavior-Version < DS_BEHAVIOR_WIN2003 then return ERROR_DS_NOT_SUPPORTED endif /* Passwords match? */ if pc!msDS-ExecuteScriptPassword ≠ msgIn.pbPassword then pmsgOut^.V1.dwOperationStatus := ERROR_DS_AUTHORIZATION_FAILED pmsgOut^.V1.pwErrMessage := human-readable description of the error return 0 endif /* Execute and delete the script. */ pmsgOut^.V1.dwOperationStatus := ExecuteScript(pc) if pmsgOut^.V1.dwOperationStatus = 0 then /* Script executed successfully. Remove the script value */ pc!msDS-UpdateScript := null else pmsgOut^.V1.pwErrMessage := human-readable description of the error endif return 0