3.1.1.1 Policy Object Data Model

  • Article

The policy object contains miscellaneous policy settings. There is one object of this type on the server. This object cannot be deleted, and a new object of this type cannot be created. Its fields, however, can be changed when they adhere to the rules in the specification. The data model is presented here as a collection of structures defined in section 2.2 to ensure that syntax and other consistency rules are met in the data model.<41>

Name

Type

Auditing Log Information

POLICY_AUDIT_LOG_INFO

Audit Full Information

POLICY_AUDIT_FULL_QUERY_INFO

Event Auditing Options

LSAPR_POLICY_AUDIT_EVENTS_INFO

Primary Domain Information

LSAPR_POLICY_PRIMARY_DOM_INFO

DNS Domain Information (Public)<42>

LSAPR_POLICY_DNS_DOMAIN_INFO

Account Domain Information

LSAPR_POLICY_ACCOUNT_DOM_INFO

Server Role Information

POLICY_LSA_SERVER_ROLE_INFO

Replica Source Information

LSAPR_POLICY_REPLICA_SRCE_INFO

* Kerberos Policy Information<43>

POLICY_DOMAIN_KERBEROS_TICKET_INFO

Encrypting File System (EFS) Policy Information<44>

LSAPR_POLICY_DOMAIN_EFS_INFO

Quality of Service Information<45>

POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO

Security Descriptor

LSAPR_SR_SECURITY_DESCRIPTOR

Machine Account Information

LSAPR_POLICY_MACHINE_ACCT_INFO

* The Kerberos Policy Information abstract data contains the following public ADM elements (whose meaning is described in section 2.2.4.19):

  • AuthenticationOptions (Public): Optional flags that affect validations.

  • MaxServiceTicketAge (Public): The maximum ticket lifetime for a service ticket.

  • MaxTicketAge (Public): The maximum ticket lifetime for a ticket-granting ticket.

  • MaxRenewAge (Public): The maximum renewable lifetime.

  • MaxClockSkew (Public): The acceptable clock skew.

  • Reserved: Reserved for future use.

The server MUST notify the Kerberos protocol [MS-KILE] when any field of the Kerberos Policy Information ADM element is changed; see section 3.1.4.4.8 for more details.

The following element also pertains to the Policy Object data model:

  • ComputerNetBIOSName: This ADM element represents the NetBIOS name of the computer. It is shared with the ComputerName.NetBIOS element from [MS-WKST] section 3.2.1.2.

Auditing Log Information is constant information about the state of the auditing system. The server MUST store the following constant information.

  • MaximumLogSize = 8192 for non–domain controllers (DCs)

  • MaximumLogSize = 20480 for domain controllers

  • AuditLogPercentFull = 0

  • AuditRetentionPeriod = 8533315

  • AuditLogFullShutdownInProgress = FALSE

  • TimeToShutdown = 288342

  • NextAuditRecordId = 0

Account Domain Information stores information about the local account domain of the machine. Note that Primary Domain Information is returned to clients who issue LsarQueryInformationPolicy2 messages (section 3.1.4.4.3) with PolicyAccountDomainInformation to a domain controller.

For domain-joined machines, Primary Domain Information and DNS Domain Information store information about the domain to which the machine is joined. If the machine is not joined to a domain, these abstract data elements store information about the workgroup the machine is in.

The value of the Server Role Information ADM element is determined by the following series of calls to the local SAM Remote Protocol implementation:

  1. Invoke SamrConnect ([MS-SAMR] section 3.1.5.1.4), specifying SAM_SERVER_CONNECT for the DesiredAccess parameter.

  2. Invoke SamrLookupDomainInSamServer ([MS-SAMR] section 3.1.5.11.1), specifying the Name field of the Primary Domain Information ADM element for the Name parameter

  3. Invoke SamrOpenDomain ([MS-SAMR] section 3.1.5.1.5), specifying the ServerHandle that was obtained in step 1, DOMAIN_ALL_ACCESS for the DesiredAccess parameter, and the DomainId that was obtained in step 2.

  4. Invoke SamrQueryInformationDomain2 ([MS-SAMR] section 3.1.5.5.1), specifying the DomainHandle that was obtained in step 3, and DomainServerRoleInformation for the DomainInformationClass parameter.

  5. The value obtained in step 4 is then used for the Server Role Information ADM element. If DomainServerRolePrimary is returned, then PolicyServerRolePrimary is used; if DomainServerRoleBackup is returned, PolicyServerRoleBackup is used.

  6. Call SamrCloseHandle ([MS-SAMR] section 3.1.5.13.1) on the handle from step 3.

  7. Call SamrCloseHandle on the handle from step 1.

Replica Source Information and Encrypting File System (EFS) Policy Information are obsolete abstract data in this version of the protocol. However, an implementation SHOULD support this data for compatibility with previous versions of this protocol.

Audit Full Information and Quality of Service Information are obsolete abstract data in this version of the protocol. An implementation SHOULD choose not to implement this abstract data model.

A security descriptor is used during handle open for access check. The content of this security descriptor is implementation-specific, but a server MUST assign a default security descriptor.<46>

If the responder for this protocol is a domain controller, the values of the implementation-specific instantiation of Event Auditing Options and Kerberos Policy Information abstract data MUST converge between the domain controllers in the same domain.<47> There is no requirement on the length of time to reach convergence.

For domain-joined machines, the Machine Account Information abstract data contains information about the account object in the domain to which the machine is joined.