3.2.5.3 Local Account Policies

Local account policies are set by doing the following:

If the key value is any value other than those listed as valid in the table in section 2.2.1.3, an error SHOULD be logged and the client SHOULD stop processing local account policies and log an error.

If the value of the "value" element is not valid for the corresponding key value as specified in the table in section 2.2.1.3, an error SHOULD be logged and the client MUST stop processing local account policies.

If the Key name is "LSAAnonymousNameLookup":

  1. Perform external behavior consistent with locally invoking LsarQuerySecurityObject ([MS-LSAD] section 3.1.4.9.1).

    • The PolicyHandle MUST be set to a policy handle opened by performing external behavior consistent with locally invoking LsarOpenPolicy ([MS-LSAD] section 3.1.4.4.2) with DesiredAccess set to MAXIMUM_ALLOWED ([MS-LSAD] section 2.2.1.1.1).

    • The SecurityInformation MUST be set to DACL_SECURITY_INFORMATION ([MS-LSAD] section 2.2.1.3).

    • The SecurityDescriptor MUST be set to an address of a PLSAR_SR_SECURITY_DESCRIPTOR variable.

  2. Perform external behavior consistent with locally invoking LsarSetSecurityObject.

    • The PolicyHandle MUST be set to a policy handle opened by performing external behavior consistent with locally invoking LsarOpenPolicy ([MS-LSAD] section 3.1.4.4.2) with DesiredAccess set to MAXIMUM_ALLOWED ([MS-LSAD] section 2.2.1.1.1).

    • The SecurityInformation MUST be set to DACL_SECURITY_INFORMATION ([MS-LSAD] section 2.2.1.3).

    • The SecurityDescriptor MUST be a pointer to an LSAR_SR_SECURITY_DESCRIPTOR structure in which the DACL ([MS-DTYP] section 2.4.5) MUST be set to the DACL received from the LsarQuerySecurityObject method in step 1, with an added ACCESS_ALLOWED_ACE ([MS-DTYP] section 2.4.4.2) granting the Anonymous SID ([MS-DTYP] section 2.4.2.4) an access mask set to POLICY_LOOKUP_NAMES ([MS-LSAD] section 2.2.1.1.2).

If the Key name is "EnableAdminAccount":

  1. Perform external behavior consistent with locally invoking SamrQueryInformationUser ([MS-SAMR] section 3.1.5.5.6).

    • The UserHandle MUST be set to a user handle obtained by performing external behavior consistent with locally invoking SamrOpenUser ([MS-SAMR] section 3.1.5.1.9) with the following parameters:

      • A DesiredAccess parameter of MAXIMUM_ALLOWED.

      • A UserId parameter of DOMAIN_USER_RID_ADMIN ([MS-SAMR] section 2.2.1.14).

      • A DomainHandle parameter set to a handle to the domain of the current machine, obtained by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5).

    • The UserInformationClass MUST be set to UserControlInformation ([MS-SAMR] section 2.2.7.28).

    • The Buffer MUST be set to the address of a memory buffer large enough to contain a SAMPR_USER_INFO_BUFFER structure ([MS-SAMR] section 2.2.7.29).

  2. Perform external behavior consistent with locally invoking SamrSetInformationUser ([MS-SAMR] section 3.1.5.6.5).

    • The UserHandle MUST be set to a user handle obtained by performing external behavior consistent with locally invoking SamrOpenUser ([MS-SAMR] section 3.1.5.1.9) with the following parameters:

      • A DesiredAccess parameter of MAXIMUM_ALLOWED.

      • A UserId parameter of DOMAIN_USER_RID_ADMIN ([MS-SAMR] section 2.2.1.14).

      • A DomainHandle parameter set to a handle to the domain of the current machine, obtained by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5).

    • The UserInformationClass MUST be set to UserControlInformation ([MS-SAMR] section 2.2.7.28).

    • The buffer MUST be set to the address of a SAMPR_USER_INFO_BUFFER structure whose Control member variable is set according to the following table.

      EnableAdminAccount setting value

      SAMPR_USER_INFO_BUFFER Control member value

      1 (Enable Admin Account)

      Bitwise AND of Control value received in step 1 and 0xFFFFFFFE

      0 (Disable Admin Account)

      Bitwise OR of Control value received in step 1 and USER_ACCOUNT_DISABLED ([MS-SAMR] section 3.1.5.14.2).

If the Key name is "EnableGuestAccount":

  1. Perform external behavior consistent with locally invoking SamrQueryInformationUser ([MS-SAMR] section 3.1.5.5.6).

    • The UserHandle MUST be set to a user handle obtained by performing external behavior consistent with locally invoking SamrOpenUser ([MS-SAMR] section 3.1.5.1.9) with the following parameters:

      • A DesiredAccess parameter of MAXIMUM_ALLOWED.

      • A UserId parameter of DOMAIN_USER_RID_GUEST ([MS-SAMR]section 2.2.1.14).

      • A DomainHandle parameter set to a handle to the domain of the current machine, obtained by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR]section 3.1.5.1.5).

    • The UserInformationClass MUST be set to UserControlInformation ([MS-SAMR] section 2.2.7.28).

    • The buffer MUST be set to the address of a memory buffer large enough to contain a SAMPR_USER_INFO_BUFFER structure ([MS-SAMR] section 2.2.7.29).

  2. Perform external behavior consistent with locally invoking SamrSetInformationUser ([MS-SAMR] section 3.1.5.6.5).

    • The UserHandle MUST be set to a user handle obtained by performing external behavior consistent with locally invoking SamrOpenUser ([MS-SAMR] section 3.1.5.1.9) with the following parameters:

    • A DesiredAccess parameter of MAXIMUM_ALLOWED.

    • A UserId parameter of DOMAIN_USER_RID_GUEST ([MS-SAMR] section 2.2.1.14).

    • A DomainHandle parameter set to a handle to the domain of the current machine, obtained by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5).

    • The UserInformationClass MUST be set to UserControlInformation ([MS-SAMR] section 2.2.7.28).

    • The buffer MUST be set to the address of a SAMPR_USER_INFO_BUFFER structure whose Control member variable is set according to the following table.

      EnableGuestAccount setting value

      SAMPR_USER_INFO_BUFFER Control member value

      1 (Enable Guest Account)

      Bitwise AND of Control value received in step 1 and 0xFFFFFFFE

      0 (Disable Guest Account)

      Bitwise OR of Control value received in step 1 and USER_ACCOUNT_DISABLED ([MS-SAMR]section 3.1.5.14.2)

If the Key name is "NewAdministratorName":

Perform external behavior consistent with locally invoking SamrSetInformationUser ([MS-SAMR] section 3.1.5.6.5). If SamrSetInformationUser returns an error, theĀ  Group Policy: Security Protocol Extension client MUST stop processing Local Account policies and log an error.

  • The UserHandle MUST be set to a user handle obtained by performing external behavior consistent with locally invoking SamrOpenUser ([MS-SAMR] section 3.1.5.1.9) with the following parameter values:

    • A DesiredAccess parameter of MAXIMUM_ALLOWED.

    • A UserId parameter of DOMAIN_USER_RID_ADMIN ([MS-SAMR] section 2.2.1.14).

    • A DomainHandle parameter set to a handle to the domain of the current machine, obtained by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5).

  • The UserInformationClass MUST be set to UserNameInformation ([MS-SAMR] section 2.2.7.28).

  • The buffer MUST be set to the address of a SAMPR_USER_NAME_INFORMATION structure whose UserName member variable is set to the value of the NewAdministratorName setting.

If the Key name is "NewGuestName":

Perform external behavior consistent with locally invoking SamrSetInformationUser ([MS-SAMR] section 3.1.5.6.5). If SamrSetInformationUser returns an error, the GPSB client MUST stop processing Local Account policies and log an error.

  • The UserHandle MUST be set to a user handle obtained by performing external behavior consistent with locally invoking SamrOpenUser ([MS-SAMR] section 3.1.5.1.9) with the following parameter values:

    • A DesiredAccess parameter of MAXIMUM_ALLOWED.

    • A UserId parameter of DOMAIN_USER_RID_GUEST ([MS-SAMR] section 2.2.1.14).

    • A DomainHandle parameter set to a handle to the domain of the current machine, obtained by performing external behavior consistent with locally invoking SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5).

  • The UserInformationClass MUST be set to UserNameInformation ([MS-SAMR] section 2.2.7.28).

  • The buffer MUST be set to the address of a SAMPR_USER_NAME_INFORMATION structure whose UserName member variable is set to the value of the NewGuestName setting.