4.9.2. samr interface

The samr interface is used to communicate with the SAM (Security Account Manager) subsystem.

Before Windows 2000, the samr interface is only available on the samr named pipe endpoint:


C:\> ifids -p ncacn_np -e \pipe\samr \\.

Interfaces: 4
[...]

  12345778-1234-abcd-ef00-0123456789ac v0.0

[...]

In Active Directory domains (and particularly, Active Directory domain controllers), the samr interface is also available (and used) over a TCP endpoint:

C:\> ifids -p ncacn_ip_tcp -e 1025 127.0.0.1

Interfaces: 12
[...]

  12345778-1234-abcd-ef00-0123456789ac v0.0

[...]

During Active Directory domain joins, the creation of computer accounts is implemented with samr operations called on the TCP endpoint of Active Directory domain controllers.

IDL (Interface Definition Language) for the samr interface is available in Samba 4 [55].

Table 4.16. samr operations

InterfaceOperation numberOperation name
12345778-1234-abcd-ef00-0123456789ac v1.0: samr  
 0x00SamrConnect
 0x01SamrCloseHandle
 0x02SamrSetSecurityObject
 0x03SamrQuerySecurityObject
 0x04SamrShutdownSamServer
 0x05SamrLookupDomainInSamServer
 0x06SamrEnumerateDomainsInSamServer
 0x07SamrOpenDomain
 0x08SamrQueryInformationDomain
 0x09SamrSetInformationDomain
 0x0aSamrCreateGroupInDomain
 0x0bSamrEnumerateGroupsInDomain
 0x0cSamrCreateUserInDomain
 0x0dSamrEnumerateUsersInDomain
 0x0eSamrCreateAliasInDomain
 0x0fSamrEnumerateAliasesInDomain
 0x10SamrGetAliasMembership
 0x11SamrLookupNamesInDomain
 0x12SamrLookupIdsInDomain
 0x13SamrOpenGroup
 0x14SamrQueryInformationGroup
 0x15SamrSetInformationGroup
 0x16SamrAddMemberToGroup
 0x17SamrDeleteGroup
 0x18SamrRemoveMemberFromGroup
 0x19SamrGetMembersInGroup
 0x1aSamrSetMemberAttributesOfGroup
 0x1bSamrOpenAlias
 0x1cSamrQueryInformationAlias
 0x1dSamrSetInformationAlias
 0x1eSamrDeleteAlias
 0x1fSamrAddMemberToAlias
 0x20SamrRemoveMemberFromAlias
 0x21SamrGetMembersInAlias
 0x22SamrOpenUser
 0x23SamrDeleteUser
 0x24SamrQueryInformationUser
 0x25SamrSetInformationUser
 0x26SamrChangePasswordUser
 0x27SamrGetGroupsForUser
 0x28SamrQueryDisplayInformation
 0x29SamrGetDisplayEnumerationIndex
 0x2aSamrTestPrivateFunctionsDomain
 0x2bSamrTestPrivateFunctionsUser
 0x2cSamrGetUserDomainPasswordInformation
> Windows 20000x2dSamrRemoveMemberFromForeignDomain
-0x2eSamrQueryInformationDomain2
-0x2fSamrQueryInformationUser2
-0x30SamrQueryDisplayInformation2
-0x31SamrGetDisplayEnumerationIndex2
-0x32SamrCreateUser2InDomain
-0x33SamrQueryDisplayInformation3
-0x34SamrAddMultipleMembersToAlias
-0x35SamrRemoveMultipleMembersFromAlias
-0x36SamrOemChangePasswordUser2
-0x37SamrUnicodeChangePasswordUser2
-0x38SamrGetDomainPasswordInformation
-0x39SamrConnect2
-0x3aSamrSetInformationUser2
-0x3bSamrSetBootKeyInformation
-0x3cSamrGetBootKeyInformation
-0x3dSamrConnect3
-0x3eSamrConnect4
-0x3fSamrUnicodeChangePasswordUser3
> Windows XP and Windows Server 2003 0x40SamrConnect5
-0x41SamrRidToSid
-0x42SamrSetDSRMPassword
-0x43SamrValidatePassword
> Windows Vista0x44SamrQueryLocalizableAccountsInDomain
-0x45SamrPerformGenericOperation

To connect to the SAM server, one of the following operations are used:

Then, available domains in the SAM server can be enumerated using the following operation:

The following operation is used to obtain the SID of a domain, given its name:

This operation typically returns the BUILTIN domain (S-1-5-32) and the machine domain (local domain for a non-domain controller machine, NT 4 or Active Directory domain for a domain controller machine).

The domain SID can then be used to open a given domain:

General information about the opened domain can be obtained or set with the following operations:

Once a domain is opened, it is possible to enumerate groups, aliases and users, using the following operations:

RID and names resolution inside an opened domain are implemented by the following operations:

Domain password policies can be obtained with the following operations:

To create a new group, alias or user in the opened domain, the following operations can be used:

To open an existing group, alias or user in the opened domain, the following operations exist:

To delete an existing group, alias or user in the opened domain, the following operations exist:

To obtain a list of members in groups or aliases, the following operations can be used:

To add or remove a member to a group or alias, the following operations are available:

For aliases, it is also possible to add or remove multiple members to or from an alias:

To obtain or set information about a given group or alias, the following operations exist:

Similar operations exist for accounts management:

A list of groups containing a given user can be obtained with the following operation:

Finally, handles returned by the following operations are supposed to be closed, using the SamrCloseHandle (0x01) operation: