7 Appendix B: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.
The following tables show the relationships between Microsoft product versions or supplemental software and the roles they perform.
|
Windows Client releases |
Client role |
Server role |
|---|---|---|
|
Windows NT operating system |
Yes |
Yes |
|
Windows 2000 Professional operating system |
Yes |
Yes |
|
Windows XP operating system |
Yes |
Yes |
|
Windows Vista operating system |
Yes |
Yes |
|
Windows 7 operating system |
Yes |
Yes |
|
Windows 8 operating system |
Yes |
Yes |
|
Windows 8.1 operating system |
Yes |
Yes |
|
Windows 10 operating system |
Yes |
Yes |
|
Windows 11 operating system |
Yes |
Yes |
|
Windows Server releases |
Client role |
Server role |
|---|---|---|
|
Windows NT |
Yes |
Yes |
|
Windows 2000 Server operating system |
Yes |
Yes |
|
Windows Server 2003 operating system |
Yes |
Yes |
|
Windows Server 2003 for Small Business Server 2003 |
Yes |
Yes |
|
Windows Server 2003 R2 operating system |
Yes |
Yes |
|
Windows Server 2008 operating system |
Yes |
Yes |
|
Windows Server 2008 R2 operating system |
Yes |
Yes |
|
Windows Server 2012 operating system |
Yes |
Yes |
|
Windows Server 2012 R2 operating system |
Yes |
Yes |
|
Windows Server 2016 operating system |
Yes |
Yes |
|
Windows Server operating system |
Yes |
Yes |
|
Windows Server 2019 operating system |
Yes |
Yes |
|
Windows Server 2022 operating system |
Yes |
Yes |
|
Windows Server 2025 operating system |
Yes |
Yes |
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 2.1: By default, the "\PIPE\lsarpc" endpoint allows anonymous access on Windows NT 3.1 operating system, Windows NT 3.5 operating system, Windows NT 3.51 operating system, Windows NT 4.0 operating system, Windows 2000 operating system, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista RTM. Anonymous access to this pipe is removed by default on Windows Vista operating system with Service Pack 1 (SP1) and later and Windows Server 2008 and later in both the non-domain controller configuration and the read-only domain controller configuration. The pipe access check happens before any other access check; therefore, it overrides any other access.
<2> Section 2.1: Applies only to Windows 11, version 24H2 operating system and later, and Windows Server 2025 and later.
<3> Section 2.1: Windows implementations of the client and server role for this protocol use the tamper-resistance functionality provided by SMB transport on the products that are available, and are enabled as specified in [MS-SMB] section 3.1.1.1 (the MessageSigningPolicy parameter), and [MS-SMB2] section 3.1.1.1 (the RequireMessageSigning parameter).
<4> Section 2.1: If an implementation of the client role violates this specification and uses the RPC-provided security-support-provider mechanism for the RPC connection to a Windows implementation, Windows processes all messages as specified in section 3.1 (that is, there is no change in message processing behavior), except for the messages that use encryption specified in section 5.1. During encryption and decryption, Windows implementations for the server role use a hard-coded key instead of the SMB transport–provided session key. The hard-coded key is represented below as bytes in hexadecimal form.
"53 79 73 74 65 6d 4c 69-62 72 61 72 79 44 54 43"
<5> Section 2.1: The Windows implementation of the server role for this protocol supports the RPC-provided security-support-provider mechanisms, as specified in [MS-RPCE] section 3.2.1.4.1. The following security-support providers are registered by the responder.
|
Windows version |
Security support provider registered |
|---|---|
|
Windows NT and Windows 2000 Professional and later |
RPC_C_AUTHN_WINNT |
|
Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later |
RPC_C_AUTHN_WINNT On the domain controllers the following are also supported: RPC_C_AUTHN_GSS_KERBEROS RPC_C_AUTHN_GSS_NEGOTIATE |
<6> Section 2.1: Servers running Windows 2000, Windows XP, and Windows Server 2003 accept calls at any authentication level. Without [MSKB-3149090] installed, servers running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 v1507 operating system, or Windows 10 v1511 operating system also accept calls at any authentication level.
<7> Section 2.1: The server implementation of this protocol in Windows 2000 and earlier does not enforce a limit. The limit in Windows XP and Windows Server 2003 is 4 MB.
<8> Section 2.2: Data type fields that are described as "Reserved" or "MUST be ignored" are sent as 0 (or NULL in the case of pointers) by the Windows implementation of the protocol client, and are ignored upon receipt by the Windows implementation of the protocol server.
<9> Section 2.2: Windows operating systems that support the current security updates to this protocol via the installation of KB articles are specified in [MSFT-CVE-2022-21913], immediately following its publication.
<10> Section 2.2: The following table is a timeline of when each structure, data type, or enumeration was introduced. All structures, data types, and enumerations listed in the table continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Data type |
Product |
|---|---|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows 2000 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.51 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows XP and Windows Server 2003 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL (section 2.2.7.12) |
Windows 2000 |
|
Windows 2000 |
|
|
LSAPR_TRUSTED_DOMAIN_FULL_INFORMATION_INTERNAL (section 2.2.7.14) |
Windows 2000 |
|
Windows XP and Windows Server 2003 |
|
|
Windows NT 3.1 |
|
|
TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES (section 2.2.7.18) |
Windows Vista and Windows Server 2008 |
|
Windows NT 3.1 |
|
|
Windows XP and Windows Server 2003 |
|
|
Windows XP and Windows Server 2003 |
|
|
Windows XP and Windows Server 2003 |
|
|
Windows XP and Windows Server 2003 |
|
|
Windows XP and Windows Server 2003 |
|
|
Windows XP and Windows Server 2003 |
|
|
Windows XP and Windows Server 2003 |
|
|
Windows XP and Windows Server 2003 |
|
|
Windows 10 v1803 operating system and Windows Server v1803 operating system |
<11> Section 2.2.1.1.2: The following is a timeline of when each access mask was introduced. All access masks continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Value |
Product |
|---|---|
|
0x00000000 |
Windows NT 3.1 |
|
POLICY_VIEW_LOCAL_INFORMATION 0x00000001 |
Windows NT 3.1 |
|
POLICY_VIEW_AUDIT_INFORMATION 0x00000002 |
Windows NT 3.1 |
|
POLICY_GET_PRIVATE_INFORMATION 0x00000004 |
Windows NT 3.1 |
|
POLICY_TRUST_ADMIN 0x00000008 |
Windows NT 3.1 |
|
POLICY_CREATE_ACCOUNT 0x00000010 |
Windows NT 3.1 |
|
POLICY_CREATE_SECRET 0x00000020 |
Windows NT 3.1 |
|
POLICY_CREATE_PRIVILEGE 0x00000040 |
Windows NT 3.1 |
|
POLICY_SET_DEFAULT_QUOTA_LIMITS 0x00000080 |
Windows NT 3.1 |
|
POLICY_SET_AUDIT_REQUIREMENTS 0x00000100 |
Windows NT 3.1 |
|
POLICY_AUDIT_LOG_ADMIN 0x00000200 |
Windows NT 3.1 |
|
POLICY_SERVER_ADMIN 0x00000400 |
Windows NT 3.1 |
|
POLICY_LOOKUP_NAMES 0x00000800 |
Windows NT 3.1 |
|
POLICY_NOTIFICATION 0x00001000 |
Windows 2000 |
<12> Section 2.2.1.1.5: The following is a timeline of when each access mask was introduced. All access masks continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Value |
Product |
|---|---|
|
TRUSTED_QUERY_DOMAIN_NAME 0x00000001 |
Windows NT 3.1 |
|
TRUSTED_QUERY_CONTROLLERS 0x00000002 |
Windows NT 3.1 |
|
TRUSTED_SET_CONTROLLERS 0x00000004 |
Windows NT 3.1 |
|
TRUSTED_QUERY_POSIX 0x00000008 |
Windows NT 3.1 |
|
TRUSTED_SET_POSIX 0x00000010 |
Windows NT 3.1 |
|
TRUSTED_SET_AUTH 0x00000020 |
Windows 2000 |
|
TRUSTED_QUERY_AUTH 0x00000040 |
Windows 2000 |
<13> Section 2.2.1.2: The POLICY_MODE_ALL flag applies to Windows 2000 and later.
<14> Section 2.2.1.2: The POLICY_MODE_ALL_NT4 flag applies to Windows NT 3.1 through Windows NT 4.0.
<15> Section 2.2.1.2: The following is a timeline of when each mode was introduced. All modes continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Value |
Product |
|---|---|
|
0x00000000 No access |
Windows NT 3.1 |
|
0x00000001 POLICY_MODE_INTERACTIVE |
Windows NT 3.1 |
|
0x00000002 POLICY_MODE_NETWORK |
Windows NT 3.1 |
|
0x00000004 POLICY_MODE_BATCH |
Windows NT 3.1 |
|
0x00000010 POLICY_MODE_SERVICE |
Windows NT 3.1 |
|
0x00000020 POLICY_MODE_PROXY |
Windows NT 3.1 |
|
0x00000040 POLICY_MODE_DENY_INTERACTIVE |
Windows 2000 |
|
0x00000080 POLICY_MODE_DENY_NETWORK |
Windows 2000 |
|
0x00000100 POLICY_MODE_DENY_BATCH |
Windows 2000 |
|
0x00000200 POLICY_MODE_DENY_SERVICE |
Windows 2000 |
|
0x00000400 POLICY_MODE_REMOTE_INTERACTIVE |
Windows XP and Windows Server 2003 |
|
0x00000800 POLICY_MODE_DENY_REMOTE_INTERACTIVE |
Windows XP and Windows Server 2003 |
<16> Section 2.2.1.4: The AES cipher AEAD-AES-256-CBC-HMAC-SHA512 and supporting methods, structures, and processing details that enable AES wire encryption protections of sensitive data with this protocol are supported on the operating systems specified in [MSFT-CVE-2022-21913], each with its related KB article download installed.
<17> Section 2.2.1.5: Information records for Active Directory domains in trusted forests that are queried and set in this protocol are supported by the operating systems specified in [MSFT-CVE-2022-21857], each with its related KB article download installed.
<18> Section 2.2.2.4: The Windows implementation of the RPC client for this protocol leaves this structure to be filled by a higher-layer application and does not verify the structure's contents except for RootDirectory, which must be NULL.
<19> Section 2.2.2.5: In Windows NT, Windows 2000, Windows XP, and Windows XP operating system Service Pack 1 (SP1), the Windows RPC server and RPC client do not enforce restrictions on the Length field of this structure (using the range primitive specified in [MS-RPCE]).
<20> Section 2.2.2.6: Available in Windows 11, version 24H2 and later, and Windows Server 2025 and later.
<21> Section 2.2.2.6: Available in client versions later than Windows 11, version 23H2 operating system, server versions later than Windows Server 2022, 23H2 operating system, and versions updated with [MSFT-CVE-2024-20692].
<22> Section 2.2.4.1: The following is a timeline of when each enumeration value was introduced. All enumeration values continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Value |
Product |
|---|---|
|
PolicyAuditLogInformation |
Windows NT 3.1 |
|
PolicyAuditEventsInformation |
Windows NT 3.1 |
|
PolicyPrimaryDomainInformation |
Windows NT 3.1 |
|
PolicyPdAccountInformation |
Windows NT 3.1 |
|
PolicyAccountDomainInformation |
Windows NT 3.1 |
|
PolicyLsaServerRoleInformation |
Windows NT 3.1 |
|
PolicyReplicaSourceInformation |
Windows NT 3.1 |
|
PolicyInformationNotUsedOnWire |
Windows NT 3.1 |
|
PolicyModificationInformation |
Windows NT 3.1 |
|
PolicyAuditFullSetInformation |
Windows NT 3.1 |
|
PolicyAuditFullQueryInformation |
Windows NT 3.1 |
|
PolicyDnsDomainInformation |
Windows 2000 |
|
PolicyDnsDomainInformationInt |
Windows 2000 |
|
PolicyLocalAccountDomainInformation |
Windows Vista and Windows Server 2008 |
|
PolicyMachineAccountInformation |
Windows 10 v1803 and Windows Server v1803 |
<23> Section 2.2.4.4: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the MaximumAuditEventCount field of this structure (using the range primitive, as specified in [MS-RPCE]).
<24> Section 2.2.4.14: The following applies to Windows 2000 Professional and later and to Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later.
The Windows RPC server always throws an RPC_S_PROCNUM_OUT_OF_RANGE exception for the message processing of LsarQueryInformationPolicy, LsarQueryInformationPolicy2, LsarSetInformationPolicy, and LsarSetInformationPolicy2, if the server is configured to emulate Windows NT 4.0 for PolicyDnsDomainInformation information level.
<25> Section 2.2.4.16: The PolicyDomainQualityOfServiceInformation enumeration value and corresponding POLICY_DOMAIN_QUALITY_OF_SERVICE_INFO structure are parts of LSAPR_POLICY_DOMAIN_INFORMATION only in the Windows 2000 Server implementation of this protocol.
<26> Section 2.2.4.18: Microsoft implementations of the Local Security Authority (Domain Policy) Remote Protocol do not enforce data in EfsBlob to conform to the layout specified in [MS-GPEF] section 2.2.1.2.1.
<27> Section 2.2.5.3: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Entries field of this structure (using the range primitive defined in [MS-RPCE]).
<28> Section 2.2.5.5: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the PrivilegeCount field of this structure (using the range primitive specified in [MS-RPCE]).
<29> Section 2.2.6.1: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Length field of this structure (using the range primitive as specified in [MS-RPCE]).
<30> Section 2.2.6.1: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the MaximumLength field of this structure (using the range primitive defined in [MS-RPCE]).
<31> Section 2.2.6.2: Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].
<32> Section 2.2.7.2: The following is a timeline of when each enumeration value was introduced. All enumeration values continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Value |
Product |
|---|---|
|
TrustedDomainNameInformation |
Windows NT 3.1 |
|
TrustedControllersInformation |
Windows NT 3.1 |
|
TrustedPosixOffsetInformation |
Windows NT 3.1 |
|
TrustedPasswordInformation |
Windows NT 3.51 |
|
TrustedDomainInformationBasic |
Windows 2000 |
|
TrustedDomainInformationEx |
Windows 2000 |
|
TrustedDomainAuthInformation |
Windows 2000 |
|
TrustedDomainFullInformation |
Windows 2000 |
|
TrustedDomainAuthInformationInternal |
Windows 2000 |
|
TrustedDomainFullInformationInternal |
Windows 2000 |
|
TrustedDomainInformationEx2Internal |
Windows XP and Windows Server 2003 |
|
TrustedDomainFullInformation2Internal |
Windows XP and Windows Server 2003 |
|
TrustedDomainSupportedEncryptionTypes |
Windows Vista and Windows Server 2008 |
|
TrustedDomainAuthInformationInternalAes |
Windows Server 2008 with [MSFT-CVE-2022-21913] |
|
TrustedDomainFullInformationInternalAes |
Windows Server 2008 with [MSFT-CVE-2022-21913] |
<33> Section 2.2.7.5: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Entries field of this structure (using the range primitive defined in [MS-RPCE]).
<34> Section 2.2.7.9: The following is a timeline of when each flag value was introduced. Unless otherwise specified, all flag values continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Possible value |
Value |
Product |
|---|---|---|
|
TANT (TRUST_ATTRIBUTE_NON_TRANSITIVE) |
0x00000001 |
Windows 2000 |
|
TAUO (TRUST_ATTRIBUTE_UPLEVEL_ONLY) |
0x00000002 |
Windows 2000 |
|
TAQD (TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) |
0x00000004 |
Windows 2000 operating system Service Pack 2 (SP2) and Windows XP |
|
TAFT (TRUST_ATTRIBUTE_FOREST_TRANSITIVE) |
0x00000008 |
Windows XP and Windows Server 2003 |
|
TACO (TRUST_ATTRIBUTE_CROSS_ORGANIZATION) |
0x00000010 |
Windows Server 2003 and Windows Vista |
|
TAWF (TRUST_ATTRIBUTE_WITHIN_FOREST) |
0x00000020 |
Windows Server 2003 and Windows Vista |
|
TATE (TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL) |
0x00000040 |
Windows Server 2003 and Windows Vista |
|
TANC (TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION) |
0x00000200 |
Windows 8 and Windows Server 2012 operating system |
|
TAPT (TRUST_ATTRIBUTE_PIM_TRUST) |
0x00000400 |
Windows 10 and Windows Server 2016 (Also supported on Windows 8.1 and Windows Server 2012 R2 if [MSKB-3155495] is installed.) |
|
Obsolete |
0x00400000 |
Introduced in Windows 2000 RTM. Became obsolete in Windows 2000 operating system Service Pack 4 (SP4). |
|
Obsolete |
0x00800000 |
Introduced in Windows 2000 RTM. Became obsolete in Windows 2000 SP4. |
<35> Section 2.2.7.11: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008, the Windows RPC server and RPC client do not enforce restrictions on the IncomingAuthInfos field of this structure (using the range primitive defined in [MS-RPCE]).
<36> Section 2.2.7.11: In Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008, the Windows RPC server and RPC client do not enforce restrictions on the OutgoingAuthInfos field of this structure (using the range primitive defined in [MS-RPCE]).
<37> Section 2.2.7.16: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the AuthSize field of this structure (using the range primitive defined in [MS-RPCE]).
<38> Section 2.2.7.17: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the AuthInfoLength field of this structure (using the range primitive defined in [MS-RPCE]).
<39> Section 2.2.7.23: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the Length field of this structure (using the range primitive defined in [MS-RPCE]).
<40> Section 2.2.7.25: In Windows NT, Windows 2000, Windows XP, and Windows XP SP1, the Windows RPC server and RPC client do not enforce restrictions on the RecordCount field of this structure (using the range primitive defined in [MS-RPCE]).
<41> Section 3.1.1.1: A Windows responder for this protocol contains the following values for the policy object after setup.
|
Name |
Value |
|---|---|
|
Auditing Log Information |
Windows maintains the following hard-coded information about the state of the audit log: MaximumLogSize = 8192 AuditLogPercentFull = 0 AuditRetentionPeriod = 8533315 AuditLogFullShutdownInProgress = FALSE TimeToShutdown = 288342 NextAuditRecordId = 0 |
|
Audit Full Information |
Windows XP and later, and Windows Server 2003 and Windows Server 2003 R2 and later return STATUS_INVALID_PARAMETER for this information class. |
|
Event Auditing Options |
On Windows 2000 and Windows XP: AuditingMode = FALSE MaximumAuditEventCount = 9 EventAuditingOptions = { 0, 0, 0, 0, 0, 0, 0, 0, 0 } On Windows Server 2003 and Windows Server 2003 R2: AuditingMode = TRUE MaximumAuditEventCount = 9 EventAuditingOptions = { 0, 1, 0, 0, 0, 0, 0, 0, 1 } On Windows Vista and later and Windows Server 2008 and later: AuditingMode = TRUE MaximumAuditEventCount = 9 EventAuditingOptions = { 0, 0, 0, 0, 0, 0, 0, 0, 0 } |
|
Primary Domain Information |
Name = <Workgroup Name> Sid = NULL |
|
DNS Domain Information |
Name = <Workgroup Name> DnsDomainName = <Empty String> DnsForestName = <Empty String> DomainGuid = { 0 } Sid = NULL |
|
Account Domain Information |
DomainName = <Machine Netbios name> DomainSid = < S-1-5-21-X-Y-Z> where X, Y, Z are random numbers |
|
Server Role Information |
LsaServerRole = PolicyServerRolePrimary |
|
Replica Source Information |
ReplicaSource=<Empty String> ReplicaAccountName=<Empty String> |
|
Kerberos Policy Information |
<No value> |
|
Encrypting File System (EFS) Policy Information |
<No value> |
|
Security Descriptor |
The security descriptor in Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, Windows NT 4.0, and Windows 2000 can be expressed in Security Description Definition Language (SDDL), as specified in [MS-DTYP] section 2.5.1, as follows: O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD) In Windows XP and in Windows Server 2003 and Windows Server 2003 R2 and later, the security descriptor can be expressed in SDDL as follows: O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS)(A;;0x00001000;;;NS) In Windows Vista and later, the security descriptor can be expressed in SDDL as follows: O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS)(A;;0x00001000;;;NS)(A;;0x00001000;;;S-1-5-17) See sections 2.2.1.1.1 and 2.2.1.1.2 for the definitions of the generic and object-specific access rights, respectively, that are included in these security descriptors. |
|
Machine Account Information |
Rid = 0 Sid = NULL |
<42> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 do not store this information.
<43> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 do not store this information.
<44> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 do not store this information.
<45> Section 3.1.1.1: Only the Windows 2000 implementation of this protocol stores quality of service information.
<46> Section 3.1.1.1: The security descriptor in Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, Windows NT 4.0, and Windows 2000 can be expressed in Security Description Definition Language (SDDL), as specified in [MS-DTYP] section 2.5.1, as follows:
O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)
In Windows XP, Windows Server 2003, and Windows Server 2003 R2, the security descriptor can be expressed in SDDL as follows:
O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS) (A;;0x00001000;;;NS)
In Windows Vista and later and in Windows Server 2008 and later, the security descriptor can be expressed in SDDL as follows:
O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD)(A;;0x0000801;;;AN)(A;;0x00001000;;;LS) (A;;0x00001000;;;NS) (A;;0x00001000;;;S-1-5-17)
See sections 2.2.1.1.1 and 2.2.1.1.2 for the definitions of the generic and object-specific access rights, respectively, that are included in these security descriptors.
<47> Section 3.1.1.1: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 domain controllers use the Netlogon Remote Protocol, as specified in [MS-NRPC] section 1.3.3, to converge Event Auditing Options abstract data. These versions of Windows do not implement Kerberos Policy Information abstract data.
Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later domain controllers use the Group Policy: Security Protocol Extension, as specified in [MS-GPSB] section 2.2.2 to converge Kerberos Policy Information abstract data and [MS-GPSB] section 2.2.4 to converge Event Auditing Options abstract data.
<48> Section 3.1.1.2.1: The following is a timeline of when each privilege value was introduced. All privilege values continue to be supported in all subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Name |
Product |
|---|---|
|
SE_ASSIGNPRIMARYTOKEN_NAME "SeAssignPrimaryTokenPrivilege" |
Windows NT 3.1 |
|
SE_AUDIT_NAME "SeAuditPrivilege" |
Windows NT 3.1 |
|
SE_BACKUP_NAME "SeBackupPrivilege" |
Windows NT 3.1 |
|
SE_CHANGE_NOTIFY_NAME "SeChangeNotifyPrivilege" |
Windows NT 3.1 |
|
SE_CREATE_GLOBAL_NAME "SeCreateGlobalPrivilege" |
Windows 2000 SP4, Windows XP operating system Service Pack 2 (SP2), and Windows Server 2003 |
|
SE_CREATE_PAGEFILE_NAME "SeCreatePagefilePrivilege" |
Windows NT 3.1 |
|
SE_CREATE_PERMANENT_NAME "SeCreatePermanentPrivilege" |
Windows NT 3.1 |
|
SE_CREATE_TOKEN_NAME "SeCreateTokenPrivilege" |
Windows NT 3.1 |
|
SE_DEBUG_NAME "SeDebugPrivilege" |
Windows NT 3.1 |
|
SE_ENABLE_DELEGATION_NAME "SeEnableDelegationPrivilege" |
Windows 2000 |
|
SE_IMPERSONATE_NAME "SeImpersonatePrivilege" |
Windows 2000 SP4, Windows XP SP2, and Windows Server 2003 |
|
SE_INC_BASE_PRIORITY_NAME "SeIncreaseBasePriorityPrivilege" |
Windows NT 3.1 |
|
SE_INCREASE_QUOTA_NAME "SeIncreaseQuotaPrivilege" |
Windows NT 3.1 |
|
SE_LOAD_DRIVER_NAME "SeLoadDriverPrivilege" |
Windows NT 3.1 |
|
SE_LOCK_MEMORY_NAME "SeLockMemoryPrivilege" |
Windows NT 3.1 |
|
SE_MACHINE_ACCOUNT_NAME "SeMachineAccountPrivilege" |
Windows NT 3.5 |
|
SE_MANAGE_VOLUME_NAME "SeManageVolumePrivilege" |
Windows 2000 SP4 and Windows XP |
|
SE_PROF_SINGLE_PROCESS_NAME "SeProfileSingleProcessPrivilege" |
Windows NT 3.1 |
|
SE_REMOTE_SHUTDOWN_NAME "SeRemoteShutdownPrivilege" |
Windows NT 3.1 |
|
SE_RESTORE_NAME "SeRestorePrivilege" |
Windows NT 3.1 |
|
SE_SECURITY_NAME "SeSecurityPrivilege" |
Windows NT 3.1 |
|
SE_SHUTDOWN_NAME "SeShutdownPrivilege" |
Windows NT 3.1 |
|
SE_SYNC_AGENT_NAME "SeSyncAgentPrivilege" |
Windows 2000 |
|
SE_SYSTEM_ENVIRONMENT_NAME "SeSystemEnvironment" |
Windows NT 3.1 |
|
SE_SYSTEM_PROFILE_NAME "SeSystemProfilePrivilege" |
Windows NT 3.1 |
|
SE_SYSTEMTIME_NAME "SeSystemtimePrivilege" |
Windows NT 3.1 |
|
SE_TAKE_OWNERSHIP_NAME "SeTakeOwnershipPrivilege" |
Windows NT 3.1 |
|
SE_TCB_NAME "SeTcbPrivilege" |
Windows NT 3.1 |
|
SE_UNDOCK_NAME "SeUndockPrivilege" |
Windows NT 3.1 |
|
SE_CREATE_SYMBOLIC_LINK_NAME "SeCreateSymbolicLinkPrivilege" |
Windows Vista and Windows Server 2008 |
|
SE_INC_WORKING_SET_NAME "SeIncreaseWorkingSetPrivilege" |
Windows Vista and Windows Server 2008 |
|
SE_RELABEL_NAME "SeRelabelPrivilege" |
Windows Vista and Windows Server 2008 |
|
SE_TIME_ZONE_NAME "SeTimeZonePrivilege" |
Windows Vista and Windows Server 2008 |
|
SE_TRUSTED_CREDMAN_ACCESS_NAME "SeTrustedCredManAccessPrivilege" |
Windows Vista and Windows Server 2008 |
<49> Section 3.1.1.2.2: Windows products implement the exact set of system access rights that the protocol supports for a given version. See the Windows behavior note in section 2.2.1.2 for a timeline of the system access introduction.
<50> Section 3.1.1.3: The default security descriptor that is assigned to newly created account objects can be expressed in Security Description Definition Language (SDDL) as O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD).
See section 2.2.1.1.1 for the definitions of the generic access rights that are included in this security descriptor.
<51> Section 3.1.1.3: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 domain controllers use the Netlogon Remote Protocol, as specified in [MS-NRPC] section 1.3.3.
Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later domain controllers use the Group Policy: Security Protocol Extension, as specified in [MS-GPSB] section 2.2.6.
<52> Section 3.1.1.4: The following is a timeline of when each secret name or name pattern was introduced. All secret names and name patterns continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Secret name or name pattern |
Product |
|---|---|
|
Starts with "G$$" |
Windows NT 3.1 |
|
Starts with "G$" |
Windows NT 3.1 |
|
Starts with "L$" |
Windows 2000 |
|
Starts with "M$" |
Windows 2000 |
|
Starts with "_sc_" |
Windows 2000 |
|
Starts with "NL$" |
Windows 2000 |
|
Starts with "RasDialParams" |
Windows 2000 |
|
Starts with "RasCredentials" |
Windows 2000 |
|
Equal to "$MACHINE.ACC" |
Windows NT 3.1 |
|
Equal to "SAC" |
Windows 2000 |
|
Equal to "SAI" |
Windows 2000 |
|
Equal to "SANSC" |
Windows 2000 |
The Trusted Domain Secret type is used only in Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0.
For replication of secrets, Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 use Netlogon-based replication, while Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later use Active Directory replication.
<53> Section 3.1.1.4: By default, the security descriptor assigned to newly created secret objects of type Local Secret can be expressed in Security Description Definition Language (SDDL) as O:BAG:SYD:(A;;GA;;;BA)(A;;GX;;;WD). This security descriptor implies that the secrets are shared between users by default, which means that a secret object created by an administrator is available to another administrator. An implementation can disallow this behavior by assigning a different security descriptor.
See section 2.2.1.1.1 for the definitions of the generic access rights that are included in this security descriptor.
<54> Section 3.1.1.5: The following is a timeline of when each information value was introduced. All information values continue to be available in subsequent versions of Windows according to the applicability lists at the beginning of this section.
|
Name |
Product |
|---|---|
|
Name |
Windows NT 3.1 |
|
Flat Name |
Windows 2000 |
|
Security Identifier |
Windows NT 3.1 |
|
Trust Type |
Windows 2000 |
|
Trust Direction |
Windows 2000 |
|
Trust Attributes |
Windows 2000 |
|
Posix Offset |
Windows NT 3.1 |
|
Trust Incoming Passwords |
Windows NT 3.51 |
|
Trust Outgoing Passwords |
Windows NT 3.51 |
|
Forest Trust Information |
Windows XP, Windows Server 2003 |
|
Supported Encryption Types |
Windows Vista, Windows Server 2008 |
|
Security Descriptor |
Windows NT 3.1 |
<55> Section 3.1.1.6.1: The default setting value is FALSE for Windows NT, Windows 2000, and Windows XP. The default setting value is TRUE for Windows Server 2003 and Windows Server 2003 R2 and later and for Windows Vista and later.
This setting can be set to FALSE on Windows Server 2003 and Windows Server 2003 R2 and later and on Windows Vista and later by setting a "non-0" value on the following REG_DWORD registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock
Changes made to this setting must take effect immediately.
Note that the Boolean meaning of the TurnOffAnonymousBlock registry value is reversed from that of the LsaRestrictAnonymous setting in section 3.1.1.6.1.
<56> Section 3.1.4: The Windows implementation of this protocol asks the RPC engine to perform a strict Network Data Representation (NDR) data consistency check at target level 5.0 (as specified in [MS-RPCE] section 3) in Windows 2000 Professional and later and in Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later.
<57> Section 3.1.4: The Windows implementation of this protocol asks the RPC engine to include support for both NDR and NDR64 transfer syntaxes, in addition to the negotiation mechanism for determining what transfer syntax will be used (as specified in [MS-RPCE] section 3) in Windows XP and later and in Windows Server 2003 and Windows Server 2003 R2 and later.
<58> Section 3.1.4: The Windows implementation of this protocol asks the RPC engine via the strict_context_handle attribute to reject use of context handles created by a method of a different RPC interface from this one, as specified in [MS-RPCE] section 3.
<59> Section 3.1.4: The following is a timeline of when each method was introduced. All methods continue to be available in subsequent versions of Windows according to the applicability list at the beginning of this section.
|
Method |
Product |
|---|---|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.1 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.51 |
|
|
Windows NT 3.51 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows 2000 |
|
|
Windows XP, Windows Server 2003 |
|
|
Windows XP, Windows Server 2003 |
|
|
Windows Server 2008 with [MSFT-CVE-2022-21913] |
|
|
Windows Server 2008 with [MSFT-CVE-2022-21913] |
<60> Section 3.1.4: Some gaps in the opnum numbering sequence correspond to opnums that are specified in [MS-LSAT]. All other gaps in the opnum numbering sequence apply to Windows as follows.
|
Opnum |
Description |
|---|---|
|
1 |
Used only locally by Windows, never remotely. |
|
5 |
Not used by Windows. |
|
9 |
Not used by Windows. |
|
21 |
Not used by Windows. |
|
22 |
Not used by Windows. |
|
52 |
Not used by Windows. |
|
56 |
Used only locally by Windows, never remotely. |
|
60 |
Used only locally by Windows, never remotely. |
|
61 |
Used only locally by Windows, never remotely. |
|
62 |
Used only locally by Windows, never remotely. |
|
63 |
Used only locally by Windows, never remotely. |
|
64 |
Used only locally by Windows, never remotely. |
|
65 |
Used only locally by Windows, never remotely. |
|
66 |
Used only locally by Windows, never remotely. |
|
67 |
Used only locally by Windows, never remotely. |
|
69 |
Used only locally by Windows, never remotely. |
|
70 |
Used only locally by Windows, never remotely. |
|
71 |
Used only locally by Windows, never remotely. |
|
72 |
Used only locally by Windows, never remotely. |
|
75 |
Used only locally by Windows, never remotely. |
<61> Section 3.1.4.4.1: The Windows RPC server for this protocol ignores this parameter except for the RootDirectory field. It verifies whether the value is NULL and returns STATUS_INVALID_PARAMETER if it is not.
<62> Section 3.1.4.4.2: The Windows RPC server for this protocol ignores this parameter except for the RootDirectory field. It verifies whether the value is NULL and returns STATUS_INVALID_PARAMETER if it is not.
<63> Section 3.1.4.4.3: Windows XP and later, and Windows Server 2003 and Windows Server 2003 R2 and later return STATUS_INVALID_PARAMETER for this information class.
<64> Section 3.1.4.4.3: In the case of Windows 2000 Professional and later, and Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later, the Windows RPC server always throws an RPC_NT_PROCNUM_OUT_OF_RANGE exception if the server is configured to emulate NT4 for PolicyDnsDomainInformation information level.
<65> Section 3.1.4.4.5: Windows XP and later, and Windows Server 2003 and Windows Server 2003 R2 and later return STATUS_INVALID_PARAMETER for this information class.
<66> Section 3.1.4.4.5: Windows 2000 Professional and later, and Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later behavior: The Windows RPC server always throws an RPC_NT_PROCNUM_OUT_OF_RANGE exception if the server is configured to emulate NT4 for PolicyDnsDomainInformation information level.
<67> Section 3.1.4.4.9: The Windows RPC server for this protocol ignores this parameter except for the RootDirectory field. It verifies whether the value is NULL and returns STATUS_INVALID_PARAMETER if it is not NULL.
<68> Section 3.1.4.4.9: This and the following exception apply to Windows 11, version 24H2 and later, and Windows Server 2025 and later.
<69> Section 3.1.4.4.10: This method is available in Windows 11, version 24H2 and later, and Windows Server 2025 and later.
<70> Section 3.1.4.5.1: Windows checks whether the SID is valid, but does not validate the structure of the SID.
<71> Section 3.1.4.5.5: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 ignore invalid LUIDs and return STATUS_SUCCESS instead of STATUS_INVALID_PARAMETER.
<72> Section 3.1.4.5.6: Windows Vista and later do not allow removal of "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", and "SeCreateGlobalPrivilege" from accounts represented with SIDs "S-1-5-19" and "S-1-5-20". Such requests are rejected with STATUS_NOT_SUPPORTED.
<73> Section 3.1.4.5.9: Furthermore, Windows checks that the caller is a member of Builtin Administrators.
<74> Section 3.1.4.5.12: Windows Vista and later and Windows Server 2008 and later do not allow removal of "SeAuditPrivilege", "SeChangeNotifyPrivilege", "SeImpersonatePrivilege", and "SeCreateGlobalPrivilege" from accounts represented with SIDs "S-1-5-19" and "S-1-5-20". Such requests are rejected with STATUS_NOT_SUPPORTED.
<75> Section 3.1.4.6: Windows 2000 Server, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008 support these methods. Windows 7 and later and Windows Server 2008 R2 and later support these methods by default, but can be configured not to support them.
<76> Section 3.1.4.6.1: Windows NT 4.0 and Windows 2000 Professional and later, and Windows NT 4.0, Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later limit the secret name length to 128 characters. Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 return STATUS_NAME_TOO_LONG for lengths that are greater than 128 characters. Windows Vista and later and Windows Server 2008 and later return STATUS_INVALID_PARAMETER for lengths that are greater than 128 characters.
<77> Section 3.1.4.6.1: Windows 2000 Professional and later, and Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later do not allow a secret whose name is prefixed by "G$$" to be created, and return STATUS_INVALID_PARAMETER to indicate this constraint failure to the caller.
<78> Section 3.1.4.6.1: Windows Server 2003 and Windows Server 2003 R2 and later, and Windows Vista and later do not allow the secret name to be "G$$", "G$", "L$", "M$", "_sc_", "NL$", "RasDialParams" or "RasCredentials". They return STATUS_INVALID_PARAMETER to indicate this constraint failure to the caller.
<79> Section 3.1.4.6.1: Global secrets (those that are prefixed with "G$") cannot be created on domain controllers on which the directory service is stopped. A request to create a global secret on a domain controller on which the directory service is stopped fails with status code STATUS_DIRECTORY_SERVICE_REQUIRED.
<80> Section 3.1.4.6.2: Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later have a special case for secret name search for downlevel compatibility with Windows NT 3.1, Windows NT 3.5, and Windows NT 3.51. If the secret name is in the form "G$$<NAME>", where "<NAME>" matches the name of a trusted domain, the response is STATUS_SUCCESS. In this case, secret information is Authentication Information of type TRUST_AUTH_TYPE_CLEAR ([MS-ADTS] section 6.1.6.9.1.1, the AuthType field) from the trusted domain object.
<81> Section 3.1.4.6.3: Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later have a special case for secret set operation for downlevel compatibility with Windows NT 3.1, Windows NT 3.5, and Windows NT 3.51. If the secret name is in the form "G$$<NAME>", where "<NAME>" matches the name of a trusted domain, the result is that the set request writes the secret value into the authentication information section of the trusted domain object. The access check in this case is identical to that required for setting authentication information on a trusted domain object, rather than that pertaining to changing a secret value.
<82> Section 3.1.4.6.3: If decryption of EncryptedCurrentValue fails, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista return STATUS_UNKNOWN_REVISION (0xC0000058); Windows Server 2008 and later and Windows 7 and later return STATUS_INVALID_PARAMETER_1 (0xC00000EF).
<83> Section 3.1.4.6.3: If decryption of EncryptedOldValue fails, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista return STATUS_UNKNOWN_REVISION (0xC0000058); Windows Server 2008 and later and Windows 7 and later return STATUS_INVALID_PARAMETER_1 (0xC00000EF).
<84> Section 3.1.4.6.4: Windows rejects the secret query requests of type "system" by returning STATUS_ACCESS_DENIED. Windows also rejects the secret query requests of type "local" from network clients with STATUS_ACCESS_DENIED.
<85> Section 3.1.4.6.4: If Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2 process a global secret with a value that has its Length field set to 0, they fill in the EncryptedCurrentValue with the following values before encryption.
-
Length = 0 MaximumLength = 0
Windows Server 2008 and later set the value of EncryptedCurrentValue to NULL.
<86> Section 3.1.4.6.4: If Windows 2000 Server, Windows Server 2003, or Windows Server 2003 R2 process a global secret with a value that has its Length field set to 0, they fill in the EncryptedOldValue with the following values before encryption.
-
Length = 0 MaximumLength = 0
Windows Server 2008 and later set the value of EncryptedOldValue to NULL.
<87> Section 3.1.4.6.5: If decryption of EncryptedData fails, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, and Windows Vista return STATUS_UNKNOWN_REVISION (0xC0000058); Windows Server 2008 and later and Windows 7 and later return STATUS_INVALID_PARAMETER_1 (0xC00000EF).
<88> Section 3.1.4.6.7: Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].
<89> Section 3.1.4.6.8: Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].
<90> Section 3.1.4.6.9: Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].
<91> Section 3.1.4.6.10: Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].
<92> Section 3.1.4.6.11: Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].
<93> Section 3.1.4.6.12: Available in client versions later than Windows 11, version 23H2, server versions later than Windows Server 2022, 23H2, and versions updated with [MSFT-CVE-2024-20692].
<94> Section 3.1.4.7: Windows NT 3.1, Windows NT 3.5, Windows NT 3.51, and Windows NT 4.0 use trusted domain objects on non–domain controllers to join a machine to a domain. Therefore, trusted domain object methods are allowed on these products even when the machine is not a domain controller. There is, however, one extra check in this case, which is that the trusted domain object's security identifier has to be the same as the security identifier in Primary Domain Information. This also artificially limits the number of trusted domain objects on such systems to one.
<95> Section 3.1.4.7.1: Windows Server 2003 and Windows Server 2003 R2 and later disallow callers that do not have the AuthenticatedUsers SID in their token from accessing trusted domain objects. Requests by such users are rejected with STATUS_ACCESS_DENIED.
<96> Section 3.1.4.7.1: On Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later, Active Directory has to be running on the server in order for this request to succeed. Failing that, the STATUS_DIRECTORY_SERVICE_REQUIRED status code is returned.
<97> Section 3.1.4.7.3: Read-only domain controllers are supported on servers running Windows Server 2008 and later. They return the STATUS_OBJECT_NAME_NOT_FOUND error.
<98> Section 3.1.4.7.3: Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 support these InformationClass values.
<99> Section 3.1.4.7.4: Read-only domain controllers are supported on servers running Windows Server 2008 and later. They return the STATUS_OBJECT_NAME_NOT_FOUND error.
<100> Section 3.1.4.7.10: Windows Server 2003 for Small Business Server 2003 does not support this message. Attempts to create a TDO in this environment causes the server to return STATUS_NOT_SUPPORTED_ON_SBS.
<101> Section 3.1.4.7.10: The operation is not supported on Windows Server 2003 for Small Business Server 2003.
<102> Section 3.1.4.7.10: Servers running Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2 return the STATUS_INVALID_DOMAIN_STATE error when the TRUST_ATTRIBUTE_FOREST_TRANSITIVE or the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit is set in the TrustAttributes field of the TrustedDomainInformation input parameter.
<103> Section 3.1.4.7.10: Read-only domain controllers are supported on servers running Windows Server 2008 and later. They return the STATUS_OBJECT_NAME_NOT_FOUND error.
<104> Section 3.1.4.7.11: The operation is not supported on Windows Server 2003 for Small Business Server 2003.
<105> Section 3.1.4.7.12: The operation is not supported on Windows Server 2003 for Small Business Server 2003.
<106> Section 3.1.4.7.13: When not at DS_BEHAVIOR_WIN2003 forest functional level, Windows Server 2003 and Windows Server 2003 R2 and later hide the presence of the TRUST_ATTRIBUTE_FOREST_TRANSITIVE bit in the Trust Attributes field of a trusted domain object.
<107> Section 3.1.4.7.14: Servers running Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 return the STATUS_INVALID_INFO_CLASS error when the information class is TrustedDomainInformationBasic.
<108> Section 3.1.4.7.14: Servers running Windows Server 2008 and later return the STATUS_OBJECT_NAME_NOT_FOUND error.
<109> Section 3.1.4.7.17: Windows Server 2003 for Windows Small Business Server 2003 (Windows SBS) server software does not support this message. Attempts to create a TDO in this environment causes the server to return STATUS_NOT_SUPPORTED_ON_SBS (0xC0000300), as specified in Return Values of section 3.1.4.7.12.
<110> Section 3.1.4.7.18: Retrieving information about a trust relationship with another forest is supported by the operating systems specified in [MSFT-CVE-2022-21857], each with its related KB article download installed.
<111> Section 3.1.4.7.19: The manipulation of forest trust information is supported by the operating systems specified in [MSFT-CVE-2022-21857], each with its related KB article download installed.
<112> Section 3.1.4.9.1: The server will not return the security descriptor of objects that it stores in Active Directory. It will return the security descriptor of objects in its local policy only. The objects stored in Active Directory include Global Secrets and trusted domain objects in Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 and later. For objects that fall into this category, the server will return the STATUS_NOT_SUPPORTED status code.
<113> Section 3.1.4.9.2: The server will not return the security descriptor of objects that it stores in Active Directory. It will return the security descriptor of objects in its local policy only. The objects stored in Active Directory include Global Secrets and trusted domain objects. For objects that fall into this category, the server returns the STATUS_NOT_SUPPORTED status code.
<114> Section 3.1.4.10: On Windows Server 2008 and later, when processing the LsarOpenSecret (section 3.1.4.6.2) and LsarCreateSecret (section 3.1.4.6.1) methods, the length of the string is allowed to not be a multiple of 2. If Length is not a multiple of 2, the length of the Unicode string will be assumed to be Length – 1.
<115> Section 3.1.4.10: Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 do not perform this check. On Windows Server 2008 and later, when processing the LsarOpenSecret and LSarCreateSecret methods, the Buffer field is allowed to contain zero or many NULL Unicode characters at the end of the string.
<116> Section 3.1.4.10: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 implementations of this protocol do not validate the Luid.HighPart field.
<117> Section 3.1.4.10: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 implementations of this protocol do not validate the Luid.LowPart field.
<118> Section 3.1.4.10: Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2003 R2 implementations of this protocol do not validate the Attributes field.
<119> Section 5.1.5: The AES cipher AEAD-AES-256-CBC-HMAC-SHA512 and supporting methods, structures, and processing details that enable AES wire encryption protections of sensitive data with this protocol are supported on the operating systems specified in [MSFT-CVE-2022-21913], each with its related KB article download installed.