4.2.2.3 Server Behavior of the IDL_DSAExecuteScript Method

Informative summary of behavior: The value of the attribute msDS-UpdateScript is executed as a transacted sequence of updates. The RPC call is not authenticated using normal means (that is, it can be performed by an anonymous caller). However, the password value passed by the caller has to match the password that was obtained by a prior call to the IDL_DSAPrepareScript method on the same DC.

 ULONG
 IDL_DSAExecuteScript( 
     [in] handle_t hRpc,
     [in] DWORD dwInVersion,
     [in, ref, switch_is(dwInVersion)]
        DSA_MSG_EXECUTE_SCRIPT_REQ *pmsgIn,
     [out, ref] DWORD *pdwOutVersion,
     [out, ref, switch_is(*pdwOutVersion)] 
        DSA_MSG_EXECUTE_SCRIPT_REPLY *pmsgOut);
  
 pc: DSName
 msgIn: DSA_MSG_EXECUTE_SCRIPT_REQ_V1
  
 /* returned message is version 1 */
 pdwOutVersion^ := 1
  
 pmsgOut^.V1.dwOperationStatus := ERROR_DS_INTERNAL_FAILURE
 pmsgOut^.V1.pwErrMessage := null
  
 /* Validate the version */
 if dwInVersion ≠ 1 then
   return ERROR_INVALID_PARAMETER
 endif
 msgIn := pmsgIn^.V1
  
 /* Only 1 instance of this call can be running. */
 if ExecuteScriptInProgress() then
   pmsgOut^.V1.dwOperationStatus := ERROR_ACCESS_DENIED
   pmsgOut^.V1.pwErrMessage := human-readable description of the error
   return 0
 endif
  
 pc := DescendantObject(ConfigNC(), "CN=Partitions,")
  
 /* Forest functionality level must be Win2K3 or above */
 if pc!msDS-Behavior-Version = null or
    pc!msDS-Behavior-Version < DS_BEHAVIOR_WIN2003 then
   return ERROR_DS_NOT_SUPPORTED
 endif
  
 /* Passwords match? */
 if pc!msDS-ExecuteScriptPassword ≠ msgIn.pbPassword then
   pmsgOut^.V1.dwOperationStatus := ERROR_DS_AUTHORIZATION_FAILED
   pmsgOut^.V1.pwErrMessage := human-readable description of the error
   return 0
 endif
  
 /* Execute and delete the script. */
 pmsgOut^.V1.dwOperationStatus := ExecuteScript(pc)
 if pmsgOut^.V1.dwOperationStatus = 0 then
   /* Script executed successfully. Remove the script value */
   pc!msDS-UpdateScript := null
 else
   pmsgOut^.V1.pwErrMessage := human-readable description of the error
 endif
  
 return 0