3.1.5.13.7 SamrValidatePassword (Opnum 67)

  • [アーティクル]

The SamrValidatePassword method validates an application password against the locally stored policy.

 long SamrValidatePassword(
   [in] handle_t Handle,
   [in] PASSWORD_POLICY_VALIDATION_TYPE ValidationType,
   [in, switch_is(ValidationType)] 
     PSAM_VALIDATE_INPUT_ARG InputArg,
   [out, switch_is(ValidationType)] 
     PSAM_VALIDATE_OUTPUT_ARG* OutputArg
 );

Handle: An RPC binding handle parameter, as specified in [C706] section 1.

ValidationType: The password policy validation requested.

InputArg: The password-related material to validate.

OutputArg: The result of the validation.

On receiving this message, the server MUST process the data from the message subject to the following constraints:

  1. The client MUST have SAM_SERVER_LOOKUP_DOMAIN access on the server object and DOMAIN_READ_PASSWORD_PARAMETERS on the account domain object. To implement the SAM_SERVER_LOOKUP_DOMAIN access check, the server MUST internally invoke SamrConnect5 (section 3.1.5.1.1) with DesiredAccess set to SAM_SERVER_LOOKUP_DOMAIN. To implement the DOMAIN_READ_PASSWORD_PARAMETERS access check, the server MUST internally invoke SamrOpenDomain (section 3.1.5.1.5) with ServerHandle set to the handle returned by SamrConnect5, and with DesiredAccess set to DOMAIN_READ_PASSWORD_PARAMETERS. If both calls succeed, the client is granted access.

  2. Let the following symbolic names correspond to the values specified in the table.

    Symbolic name

    Attribute value on the account domain object

    DomainPasswordHistoryLength

    pwdHistoryLength

    DomainLockoutDuration

    lockoutDuration

    DomainLockoutObservationWindow

    lockOutObservationWindow

    DomainLockoutThreshold

    lockoutThreshold

    DomainMinimumPasswordLength

    minPwdLength

    DomainMaximumPasswordAge

    maxPwdAge

    DomainMinimumPasswordAge

    minPwdAge

  3. Any field of OutputArg that is modified MUST cause the associated bit in PresentFields (in the SAM_VALIDATE_PERSISTED_FIELDS structure) to be set according to the following table.

    Bit

    Corresponding field

    SAM_VALIDATE_PASSWORD_LAST_SET

    PasswordLastSet

    SAM_VALIDATE_BAD_PASSWORD_TIME

    BadPasswordTime

    SAM_VALIDATE_LOCKOUT_TIME

    LockoutTime

    SAM_VALIDATE_BAD_PASSWORD_COUNT

    BadPasswordCount

    SAM_VALIDATE_PASSWORD_HISTORY

    PasswordHistoryLength

  4. Additional constraints in the following sections MUST be satisfied based on the ValidationType input parameter according to the following table. If the ValidationType input parameter does not match a row in the table, an error MUST be returned.

    ValidationType

    Section

    SamValidateAuthentication

    3.1.5.13.7.1

    SamValidatePasswordChange

    3.1.5.13.7.2

    SamValidatePasswordReset

    3.1.5.13.7.3