3.1.5.13.8 SamrValidateComputerAccountReuseAttempt (Opnum 74)

The SamrValidateComputerAccountReuseAttempt method validates whether a client attempt to re-use a given computer account is permitted.<75>

 NTSTATUS
 SamrValidateComputerAccountReuseAttempt(
     [in]  SAMPR_HANDLE ServerHandle,
     [in]  PRPC_SID ComputerSid, 
     [out] BOOL* Result
     );

ServerHandle: An RPC context handle, as specified in section 2.2.7.2, representing a server object.

ComputerSid: A security identifier (SID) value representing a computer object.

Result: The result of the validation.

Upon receiving this message, the server MUST process the message data, subject to the following constraints:

The output parameter Result MUST be set to FALSE when any of the following conditions are met:

  1. The server MUST return STATUS_NOT_SUPPORTED if it is not a domain controller (DC) or if the directory service is not running.

  2. The server MUST return an error if the object with the given ComputerSid does not exist in the database.

  3. The server MUST return STATUS_INVALID_PARAMETER if the object with the given ComputerSid exists in the database but is not a computer object.

  4. The server MUST return STATUS_ACCESS_DENIED if the object with the given ComputerSid has its ntSecurityDescriptor owner field set to a SID that does not exist in the database, or the owner field is empty.

The output parameter Result MUST be set to TRUE when one of the following conditions are met in the order specified below:

  1. When the computer object with the given ComputerSid has its ms-ds-CreatorSid attribute set to the same SID as the SID of the calling client identity.<76>

  2. When the computer object with the given ComputerSid has its ntSecurityDescriptor owner field set to the same SID as the SID of the calling identity.<77>

  3. When the computer object with the given ComputerSid has its ntSecurityDescriptor owner field set to DOMAIN_GROUP_RID_ADMINS, DOMAIN_ALIAS_RID_ADMINS, or DOMAIN_GROUP_RID_ENTERPRISE_ADMINS (see [MS-ADTS] section 2.2.15), the server MUST end processing and return STATUS SUCCESS. 

  4. When the computer object with the given ComputerSid has its ntSecurityDescriptor owner field set to a SID that is a member of any of the groups in section 3.1, the server MUST end processing and return STATUS SUCCESS.

  5. When the computer object with the given ComputerSid has its ntSecurityDescriptor owner field set to a group SID and the calling client identity is a member of this group, the server MUST end processing and return STATUS_SUCCESS.

  6. When the computer object with the given ComputerSid has its ntSecurityDescriptor owner field set to a SID that is directly specified or is a member of a group specified in the ComputerAccountReuseAllowList (section 3.1.1.12), the server MUST end processing and return STATUS_SUCCESS.

  7. When none of these conditions are met, the output parameter Result is set to FALSE and the server MUST return STATUS_SUCCESS.