Secret Object Data Model

Inside the Local Security Authority (Domain Policy) Remote Protocol database, a secret object is represented by the following pieces of data.



Attribute name



ldapDisplayName ([MS-ADA1] section 2.356)

Security Descriptor


securityIdentifier ([MS-ADA3] section 2.237)

Old Set Time


priorSetTime ([MS-ADA3] section 2.159)

Old Value

binary data

priorValue ([MS-ADA3] section 2.160)

New Set Time


lastSetTime ([MS-ADA1] section 2.353)

New Value

binary data

currentValue ([MS-ADA1] section 2.139)

The Name field uniquely identifies the secret by using a Unicode string. Two different secrets MUST have different names (the comparison is case-sensitive). The Name field MUST be read-only. To be considered valid, the length of the name in bytes MUST be even; it MUST be greater than 0 and less than 0x101. The secret name MUST NOT contain the "\" character. Special values of the Name field indicate secret types. The different secret types are as follows:

  • Global

  • Local

  • Trusted Domain

  • System

The following rules govern secret type assignments.

The term "starts with" literally means "must have a nonzero number of characters following the prefix". Names consisting of only a reserved prefix are invalid.

The following table indicates the secret name pattern and the associated secret type.

Secret name or name pattern

Type of secret

Starts with "G$$"

Trusted domain

Starts with "G$"


Starts with "L$"


Starts with "M$"


Starts with "_sc_"


Starts with "NL$"


Starts with "RasDialParams"


Starts with "RasCredentials"


Equal to "$MACHINE.ACC"


Equal to "SAC"


Equal to "SAI"


Equal to "SANSC"


The type of a secret defines the access and availability boundary for a given secret object.

System Secret: Cannot be accessed by any clients.

Local Secret: Can be accessed only by a client that is on the same machine as the server.

Global Secret: Replicates between domain controllers in the same domain, allowing each domain controller to be able to respond to secret requests of this type.

Trusted Domain Secret: Used with trusted domain objects to store trust passwords. Trusted domain secrets also replicate between domain controllers in the same domain.<48>

The security descriptor field controls access to the secret object. Every secret object in the Local Security Authority (Domain Policy) Remote Protocol database that has Local Secret type MUST have a valid security descriptor. The security descriptor of Local Secret objects can be queried by calling the LsarQuerySecurityObject (section method and changed by calling the LsarSetSecurityObject (section method. The server MUST assign a default security descriptor to every newly created secret object, even if the client did not specify a default value.<49>

The value of a secret is a byte BLOB. Depending on the caller's choices, the server stores 0, 1, or 2 values for the secret, the 2 values being "current" and "previous" and 1 value being either "current" or "previous". Both versions of the secret's value are accompanied by a 64-bit time stamp in Coordinated Universal Time (UTC), sometimes referred to as Greenwich Mean Time, in units of 100 nanoseconds since January 1, 1601.