The samr interface is used to communicate with the SAM (Security Account Manager) subsystem.
Before Windows 2000, the samr interface is only available on the samr named pipe endpoint:
C:\> ifids -p ncacn_np -e \pipe\samr \\. Interfaces: 4 [...] 12345778-1234-abcd-ef00-0123456789ac v0.0 [...]
In Active Directory domains (and particularly, Active Directory domain controllers), the samr interface is also available (and used) over a TCP endpoint:
C:\> ifids -p ncacn_ip_tcp -e 1025 127.0.0.1 Interfaces: 12 [...] 12345778-1234-abcd-ef00-0123456789ac v0.0 [...]
During Active Directory domain joins, the creation of computer accounts is implemented with samr operations called on the TCP endpoint of Active Directory domain controllers.
IDL (Interface Definition Language) for the samr interface is available in Samba 4 [55].
Table 4.16. samr operations
| Interface | Operation number | Operation name |
|---|---|---|
| 12345778-1234-abcd-ef00-0123456789ac v1.0: samr | ||
| 0x00 | SamrConnect | |
| 0x01 | SamrCloseHandle | |
| 0x02 | SamrSetSecurityObject | |
| 0x03 | SamrQuerySecurityObject | |
| 0x04 | SamrShutdownSamServer | |
| 0x05 | SamrLookupDomainInSamServer | |
| 0x06 | SamrEnumerateDomainsInSamServer | |
| 0x07 | SamrOpenDomain | |
| 0x08 | SamrQueryInformationDomain | |
| 0x09 | SamrSetInformationDomain | |
| 0x0a | SamrCreateGroupInDomain | |
| 0x0b | SamrEnumerateGroupsInDomain | |
| 0x0c | SamrCreateUserInDomain | |
| 0x0d | SamrEnumerateUsersInDomain | |
| 0x0e | SamrCreateAliasInDomain | |
| 0x0f | SamrEnumerateAliasesInDomain | |
| 0x10 | SamrGetAliasMembership | |
| 0x11 | SamrLookupNamesInDomain | |
| 0x12 | SamrLookupIdsInDomain | |
| 0x13 | SamrOpenGroup | |
| 0x14 | SamrQueryInformationGroup | |
| 0x15 | SamrSetInformationGroup | |
| 0x16 | SamrAddMemberToGroup | |
| 0x17 | SamrDeleteGroup | |
| 0x18 | SamrRemoveMemberFromGroup | |
| 0x19 | SamrGetMembersInGroup | |
| 0x1a | SamrSetMemberAttributesOfGroup | |
| 0x1b | SamrOpenAlias | |
| 0x1c | SamrQueryInformationAlias | |
| 0x1d | SamrSetInformationAlias | |
| 0x1e | SamrDeleteAlias | |
| 0x1f | SamrAddMemberToAlias | |
| 0x20 | SamrRemoveMemberFromAlias | |
| 0x21 | SamrGetMembersInAlias | |
| 0x22 | SamrOpenUser | |
| 0x23 | SamrDeleteUser | |
| 0x24 | SamrQueryInformationUser | |
| 0x25 | SamrSetInformationUser | |
| 0x26 | SamrChangePasswordUser | |
| 0x27 | SamrGetGroupsForUser | |
| 0x28 | SamrQueryDisplayInformation | |
| 0x29 | SamrGetDisplayEnumerationIndex | |
| 0x2a | SamrTestPrivateFunctionsDomain | |
| 0x2b | SamrTestPrivateFunctionsUser | |
| 0x2c | SamrGetUserDomainPasswordInformation | |
| > Windows 2000 | 0x2d | SamrRemoveMemberFromForeignDomain |
| - | 0x2e | SamrQueryInformationDomain2 |
| - | 0x2f | SamrQueryInformationUser2 |
| - | 0x30 | SamrQueryDisplayInformation2 |
| - | 0x31 | SamrGetDisplayEnumerationIndex2 |
| - | 0x32 | SamrCreateUser2InDomain |
| - | 0x33 | SamrQueryDisplayInformation3 |
| - | 0x34 | SamrAddMultipleMembersToAlias |
| - | 0x35 | SamrRemoveMultipleMembersFromAlias |
| - | 0x36 | SamrOemChangePasswordUser2 |
| - | 0x37 | SamrUnicodeChangePasswordUser2 |
| - | 0x38 | SamrGetDomainPasswordInformation |
| - | 0x39 | SamrConnect2 |
| - | 0x3a | SamrSetInformationUser2 |
| - | 0x3b | SamrSetBootKeyInformation |
| - | 0x3c | SamrGetBootKeyInformation |
| - | 0x3d | SamrConnect3 |
| - | 0x3e | SamrConnect4 |
| - | 0x3f | SamrUnicodeChangePasswordUser3 |
| > Windows XP and Windows Server 2003 | 0x40 | SamrConnect5 |
| - | 0x41 | SamrRidToSid |
| - | 0x42 | SamrSetDSRMPassword |
| - | 0x43 | SamrValidatePassword |
| > Windows Vista | 0x44 | SamrQueryLocalizableAccountsInDomain |
| - | 0x45 | SamrPerformGenericOperation |
To connect to the SAM server, one of the following operations are used:
Then, available domains in the SAM server can be enumerated using the following operation:
The following operation is used to obtain the SID of a domain, given its name:
This operation typically returns the BUILTIN domain (S-1-5-32) and the machine domain (local domain for a non-domain controller machine, NT 4 or Active Directory domain for a domain controller machine).
The domain SID can then be used to open a given domain:
General information about the opened domain can be obtained or set with the following operations:
Once a domain is opened, it is possible to enumerate groups, aliases and users, using the following operations:
RID and names resolution inside an opened domain are implemented by the following operations:
Domain password policies can be obtained with the following operations:
To create a new group, alias or user in the opened domain, the following operations can be used:
To open an existing group, alias or user in the opened domain, the following operations exist:
To delete an existing group, alias or user in the opened domain, the following operations exist:
To obtain a list of members in groups or aliases, the following operations can be used:
To add or remove a member to a group or alias, the following operations are available:
For aliases, it is also possible to add or remove multiple members to or from an alias:
To obtain or set information about a given group or alias, the following operations exist:
Similar operations exist for accounts management:
A list of groups containing a given user can be obtained with the following operation:
Finally, handles returned by the following operations are supposed to be closed, using the SamrCloseHandle (0x01) operation: