3.1.1.6 Attribute Constraints for Originating Updates

The following attribute constraints MUST be enforced during originating updates to the database.

The term "previous" refers to the value at the beginning of the transaction before any updates occurred. Unless otherwise specified, other attributes referenced for a particular constraint refer to the attribute on the same object as the attribute whose constraint is currently being satisfied. An exception to this rule is for Password Settings Attributes (section 3.1.1.5).

Unless specifically called out, all failure codes are implementation-specific.

A client implementation MUST treat all failure codes as complete failures of the requested operation unless explicitly noted in this section. The possible status codes used for these explicit return codes are found in section 2.2.1.15.

1. lockOutObservationWindow MUST be greater than or equal to lockoutDuration; on error, return a failure code. "Greater than", in this context, means a smaller absolute value because both are negative (see the next two constraints).

2. lockOutObservationWindow MUST be less than or equal to 0; on error, return a failure code.

3. lockoutDuration MUST be less than or equal to 0; on error, return a failure code.

4. maxPwdAge MUST be less than or equal to 0; on error, return a failure code.

5. minPwdAge MUST be less than or equal to 0; on error, return a failure code.

6. minPwdLength MUST be less than or equal to 256 unless uASCompat is nonzero, in which case minPwdLength MUST be less than or equal to 14; on error, return a failure code.

7. pwdHistoryLength MUST be less than or equal to 1024; on error, return a failure code.

8. sAMAccountName MUST contain at least one non-blank character; on error, return a failure code.

9. sAMAccountName MUST NOT end with a '.' (period) character; on error, return a failure code.

10. sAMAccountName MUST NOT contain any of the following characters (shown here as the binary values of UTF-16 encoded characters):

    Characters 0x0000 through 0x001F, inclusive, and the characters in the following table.

    Hexadecimal value	Character encoded
    0x0022	"
    0x002F	/
    0x005C	\
    0x005B	[
    0x005D	]
    0x003A	:
    0x007C	|
    0x003C	<
    0x003E	>
    0x002B	+
    0x003D	=
    0x003B	;
    0x003F	?
    0x002C	,
    0x002A	*

    On error, return a failure code.

11. sAMAccountName MUST end with a single ‘$’ (dollar sign) character if the object’s UserAccountControl attribute contains the userAccountControl bit UF_WORKSTATION_TRUST_ACCOUNT. On error, return a failure code. This modification MUST be allowed if the client is a member of the Domain Administrators group.<28>

12. sAMAccountName MUST contain less than or equal to 20 characters if the object's objectClass is user; on error, return a failure code.

13. sAMAccountName MUST contain less than or equal to 256 characters if the object's objectClass is group; on error, return a failure code.

14. sAMAccountName MUST be the value "krbtgt" (UTF-16 encoded) if the RID of the objectSid attribute is DOMAIN_USER_RID_KRBTGT; on error, return a failure code.

15. accountExpires MUST be equal to 0 if the RID of the objectSid attribute value is DOMAIN_USER_RID_ADMIN; on error, return a failure code.

16. logonHours MUST conform to the binary structure of SAMPR_LOGON_HOURS (section 2.2.6.5), and SAMPR_LOGON_HOURS.UnitsPerWeek MUST be less than or equal to 10080.

17. userWorkstations MUST conform to the following constraints, with the value interpreted as a UTF-16 encoded string:

    1. The string MUST be composed of substrings separated by a ',' (comma) character; therefore, a substring cannot contain a comma character. Specifically:

       1. If no comma is present, there is one substring, and it is equal to the string itself.

       2. A comma MUST NOT be the first or final character in the value.

       3. If a comma is present, the first substring MUST be the characters starting from the start of the value to the character just preceding the first comma; the final substring MUST be the characters starting just after the final comma to the final character in the string.

    2. Each substring MUST be less than or equal to 256 characters.

    3. Each substring MUST satisfy at least one of the following conditions:

       1. Satisfy the DNS naming syntax for a full DNS host name, as specified in [RFC1123] section 2.1.

       2. Have a length greater than 1 character and less than or equal to 20 characters, not have a leading or trailing blank character (0x0020), and not contain any of the following characters:

          Characters of the value 0x0000 through 0x001F, inclusive, and the characters in the following table.

          Hexadecimal value	Character encoded
          0x0022	"
          0x002F	/
          0x005C	\
          0x005B	[
          0x005D	]
          0x003A	:
          0x007C	|
          0x003C	<
          0x003E	>
          0x002B	+
          0x003D	=
          0x003B	;
          0x003F	?
          0x002C	,
          0x002A	*

    4. Any processing error or constraint violation MUST return a failure code.

18. primaryGroupId MUST be equal to DOMAIN_GROUP_RID_CONTROLLERS if userAccountControl contains the bit UF_SERVER_TRUST_ACCOUNT; on error, return a failure code.

19. userAccountControl MUST contain only the following bits, as defined in section 2.2.1.13. Note that constraints in this section further limit the possible variations that are legal.

    Bits
    UF_ACCOUNTDISABLE
    UF_HOMEDIR_REQUIRED
    UF_PASSWD_NOTREQD
    UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
    UF_NORMAL_ACCOUNT
    UF_INTERDOMAIN_TRUST_ACCOUNT
    UF_WORKSTATION_TRUST_ACCOUNT
    UF_SERVER_TRUST_ACCOUNT
    UF_DONT_EXPIRE_PASSWD
    UF_MNS_LOGON_ACCOUNT
    UF_SMARTCARD_REQUIRED
    UF_TRUSTED_FOR_DELEGATION
    UF_NOT_DELEGATED
    UF_USE_DES_KEY_ONLY
    UF_DONT_REQUIRE_PREAUTH
    UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
    UF_NO_AUTH_DATA_REQUIRED
    UF_PARTIAL_SECRETS_ACCOUNT
    UF_USE_AES_KEYS

20. userAccountControl MUST contain one and only one of the following bits, as defined in section 2.2.1.13; on error, return a failure code.

    Bits
    UF_NORMAL_ACCOUNT
    UF_INTERDOMAIN_TRUST_ACCOUNT
    UF_WORKSTATION_TRUST_ACCOUNT
    UF_SERVER_TRUST_ACCOUNT

21. An existing userAccountControl attribute SHOULD NOT be modified such that the UF_WORKSTATION_TRUST_ACCOUNT bit is removed and the UF_NORMAL_ACCOUNT bit is added, or vice-versa; on error, return a failure code. This modification, however, MUST be allowed if the client is a member of the Domain Administrators group.<29>

22. userAccountControl MUST NOT contain the UF_ACCOUNTDISABLE bit if the RID of objectSid has the value DOMAIN_USER_RID_ADMIN or DOMAIN_USER_RID_KRBTGT; on error, return a failure code.

23. objectClass MUST be of type computer or derived from computer if userAccountControl contains the following bit: UF_SERVER_TRUST_ACCOUNT.

24. objectClass MUST be of type computer or derived from type computer if the userAccountControl attribute contains the following bit: UF_WORKSTATION_TRUST_ACCOUNT. On error, return a failure code. This modification MUST be allowed if the client is a member of the Domain Administrators group.<30>

25. unicodePwd MUST be exactly 16 bytes in length or not present.

26. dBCSPwd MUST be exactly 16 bytes in length or not present.

27. lmPwdHistory MUST have the following binary format:

    1. The length MUST be a multiple of 16 bytes.

    2. If a value is present, the first 16 bytes MUST be equal to the current value of dBCSPwd.

28. ntPwdHistory MUST have the following binary format:

    1. The length MUST be a multiple of 16 bytes.

    2. If a value is present, the first 16 bytes MUST be equal to the current value of unicodePwd.

29. groupType MUST contain only bits specified in section 2.2.1.11.

30. groupType MUST NOT contain GROUP_TYPE_UNIVERSAL if the account domain is in mixed mode.

31. groupType MUST NOT be changed after it has been added if the account domain is in mixed mode.