3.1.5.4.1 Common Processing for Group and Alias Creation

This section specifies message processing that is common for SamrCreateAliasInDomain and SamrCreateGroupInDomain. The explanation of each method specifies a groupType attribute to use during group and alias creation, and a section containing valid access mask values; these values are referred to in this section by the terms Provided-Group-Type and Provided-Access-Mask-Section.

Upon receiving this message, the server MUST process the data from the message, subject to the following constraints:

  1. The server MUST return an error if DomainHandle.HandleType is not equal to "Domain".

  2. DomainHandle.GrantedAccess MUST have the required access specified in section 3.1.2.2. Otherwise, the server MUST return STATUS_ACCESS_DENIED.

  3. If DomainHandle.Object refers to the built-in domain, the server MUST abort the request and return a failure code.

  4. All updates caused by this request MUST be performed in the same transaction.

  5. On successful completion of this method, a new database object MUST be created (subsequent constraints specify attributes for this new object).

  6. The following database attribute MUST be updated from the values provided in the message per the following table.

    Database attribute

    Message input

    sAMAccountName

    Name

  7. The distinguishedName database attribute MUST be updated with a value that conforms to the constraints as specified in section 3.1.5.14.1.

  8. The objectClass database attribute MUST be updated with the value group.

  9. The groupType database attribute MUST be updated with the value Provided-Group-Type.

  10. The security model for object creation specified in [MS-ADTS] section 5.1.3 MUST be adhered to.

  11. Granted access MUST be set to DesiredAccess if DesiredAccess contains only valid access masks, according to Provided-Access-Mask-Section and section 2.2.1.1 (common Access Masks); otherwise, the request MUST be aborted and STATUS_ACCESS_DENIED MUST be returned.

  12. If DesiredAccess contains the ACCESS_SYSTEM_SECURITY bit, the client's token MUST be retrieved using the method described in [MS-RPCE] section 3.3.3.4.3. The RpcImpersonationAccessToken.Privileges[] field MUST have the SE_SECURITY_NAME privilege (defined in [MS-LSAD] section 3.1.1.2.1). Otherwise, the server MUST abort processing and return STATUS_ACCESS_DENIED.