SamrGetGroupsForUser (Opnum 39)

The SamrGetGroupsForUser method obtains a listing of groups that a user is a member of.

 long SamrGetGroupsForUser(
   [in] SAMPR_HANDLE UserHandle,

UserHandle: An RPC context handle, as specified in section, representing a user object.

Groups: An array of RIDs of the groups that the user referenced by UserHandle is a member of.

This protocol asks the RPC runtime, via the strict_context_handle attribute, to reject the use of context handles created by a method of a different RPC interface than this one, as specified in [MS-RPCE] section 3.

Upon receiving this message, the server MUST process the data from the message subject to the following constraints:

  1. The server MUST return an error if UserHandle.HandleType is not equal to "User".

  2. UserHandle.GrantedAccess MUST have the required access specified in section Otherwise, the server MUST return STATUS_ACCESS_DENIED.

  3. The server MUST determine the union of all database objects that meet the following criteria:

    • They are of class group.


    • Their member value contains the SID of the user referenced by UserHandle.Object.

    • They are in the same domain as the user referenced by UserHandle.Object.

    The union MUST also contain the group identified by the primaryGroupId attribute of the user that is referenced by UserHandle.Object.

  4. The returned Groups.MembershipCount MUST be set to the cardinality that the union determined from step 3.

  5. For each group in the union determined from step 3, the server MUST set a corresponding element in Groups.Groups as follows:

    1. RelativeId MUST contain the RID of the SID of the dsname member value.

    2. Set the Attributes field according to the message processing rules in section