Sunday, June 20, 2010


Quote from

<13> Section There is no supported configuration in which Windows servers of this protocol (for example, a DC) return nonzero values for the SupportedFeatures field. However, Windows clients running Windows XP, Windows Vista, and Windows 7 are implemented to behave as specified earlier. For example, after calling SamrCreateUser2InDomain (section, Windows NT 4.0–style client applications assume that the RID returned by SamrCreateUser2InDomain can be concatenated with the domainSID in which the user was created to obtain the SID of the newly created user. This assumption limits the server's ability to create SIDs that differ in format from this assumption, and thus limits the number of accounts ever created to 2^32 (the maximum size of an unsigned integer, which is the datatype of a RID). For more information about the extensible structure of SIDs, see [MS-SECO] section 2.3.

To allow servers (in future implementations) to generate SIDs such that the RID is not an unsigned integer (for example, a 64-bit value), the SupportedFeatures value of 1 specifies to the client that the SamrRidToSid method must be called to obtain the SID of a RID value returned from this protocol. In this scenario, the RID returned from the protocol is modeled as a "handle" to the account that SamrRidToSid uses to return the SID value.

win2k - RID --> SamrRidtoSid --> SID
Samr Connect 4 ( SupportedFeatures = 1)

winxp, vista, win7 - no SamrRidtoRid
Samr Connect 5 ( SupportedFeatures = 0)

No comments:

Post a Comment