Requirements for Network Management Functions on Active Directory Domain Controllers
If you call one of the network management functions listed in this topic on a domain controller running Active Directory, access to a securable object is allowed or denied based on the access-control list (ACL) for the object. (ACLs are specified in the directory.)
Different access requirements apply to information queries and information updates.
Queries
For queries, the default ACL permits all authenticated users and members of the "Pre-Windows 2000 compatible access" group to read and enumerate information. The functions listed following are affected:
- NetGroupEnum, NetGroupGetInfo, NetGroupGetUsers
- NetLocalGroupEnum, NetLocalGroupGetInfo, NetLocalGroupGetMembers
- NetQueryDisplayInformation
- NetSessionGetInfo (levels 1 and 2 only)
- NetShareEnum (levels 2 and 502 only)
- NetUserEnum, NetUserGetGroups, NetUserGetInfo, NetUserGetLocalGroups, NetUserModalsGet
- NetWkstaGetInfo, NetWkstaUserEnum
Anonymous access to group information requires that the user Anonymous be explicitly added to the "Pre-Windows 2000 compatible access" group. This is because anonymous tokens do not include the Everyone Group SID.
Windows 2000: By default, the "Pre-Windows 2000 compatible access" group includes Everyone as a member. This enables anonymous access (Anonymous Logon) to information if the system allows anonymous access. Administrators can remove Everyone from the "Pre-Windows 2000 Compatible Access" group at any time. Removing Everyone from the group restricts information access to authenticated users only. For more information about anonymous access, see Security Identifiers and Well-Known SIDs.
You can override the system default by setting the following key in the registry to the value 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous = 1
See NetWkstaGetInfo and NetWkstaUserEnum for additional information about anonymous access to group information when calling these two functions.
Updates
For updates, the default ACL permits only Domain Administrators and Account Operators to write information. One exception is that users can change their own password and set the usri*_usr_comment field. Another exception is that Account Operators cannot modify administration accounts. The functions listed following are affected:
- NetGroupAdd, NetGroupAddUser, NetGroupDel, NetGroupDelUser, NetGroupSetInfo, NetGroupSetUsers
- NetLocalGroupAdd, NetLocalGroupAddMembers, NetLocalGroupDel, NetLocalGroupDelMembers, NetLocalGroupSetInfo, NetLocalGroupSetMembers
- NetMessageBufferSend
- NetUserAdd, NetUserChangePassword, NetUserDel, NetUserModalsSet, NetUserSetGroups, NetUserSetInfo
Typically, callers must have write access to the entire object for calls to NetUserModalsSet, NetUserSetInfo, NetGroupSetInfo and NetLocalGroupSetInfo to succeed. For finer access control, you should consider using ADSI. For more information about ADSI, see Active Directory Service Interfaces.
For more information about controlling access to securable objects, see Access Control, Privileges, and Securable Objects. For more information about calling functions that require administrator privileges, see Running with Special Privileges.