/*++ Copyright (c) 1990 Microsoft Corporation Module Name: regnames.txt Abstract: This file describes the registry namespace used to back-store the SAM database. Author: Jim Kelly (JimK) 3-June-1991 Revision History: 1.0 - Initial implementation 1.1 - Conversion to FlexAdmin model --*/ /* The following notation is used: Xxx is the unicode name of a registry key. For example, "PasswordExpires". (Xxx) is a description of a registry key's name. For example, "(UserName)" might indicate that the key name is a user's name. [kvt,Value] kvt is the key value type, and Value describes the value of a registry key. If no specific key value type is used, then [,Value] references just the value. If the key has a key value type, but no key value, then [kvt,] notation is used. Individual keys or key values may be referenced in the description as follows: SAM/Domains/(DomainName)/Users/(UserName) - references a particular user name in a particular domain. SAM/Domains/(DomainName)/Users/(UserName)[,Rid] - references a value of a named key. .../(UserName) or .../(UserName)[Rid] may also be used as a shorthand notation when I get tired of typing out the whole name. NOTE: In several instances, and RID is used as a key name. In this case an ASCII conversion of the ULONG value is used. The name is printable and contains no zero bytes. /////////////////////////////////////////////////////////////////////////////// The structure of the registry namespace used to back-store the SAM database is as follows: SAM [Revision,SecurityDescriptor] --+- +-- Domains ----+-- +-- (DomainName1) [,SecurityDescriptor] | (...) +-- (DomainNameN) [,SecurityDescriptor] The structure under each named domain is as follows: (DomainName) [Revision, SecurityDescriptor] ----+------- +-- V1_Fixed [, SAMP_V1_FIXED_LENGTH_DOMAIN] +-- DomainSid [,SidValue] +-- OemInformation [,unicode string] +-- ReplicaSourceNodeName [,unicode string] | +-- Users [Count,] | ---+- | +-- Names | | --+--- | | +-- (UserName1) [UserRid,] | | | (...) | | +-- (UserNameL) [UserRid,] | | | +-- (UserRid1) [Revision,SecurityDescriptor] | | (...) | +-- (UserRidL) [Revision,SecurityDescriptor] | +-- Groups [Count,] | ---+-- | +-- Names | | --+--- | | +-- (GroupName1) [GroupRid,] | | | (...) | | +-- (GroupNameM) [GroupRid,] | | | +-- (GroupRid1) [Revision,SecurityDescriptor] | | (...) | +-- (GroupRidM) [Revision,SecurityDescriptor] | | +-- Aliases [Count,] ---+--- +-- Names | --+--- | +-- (AliasName1) [AliasRid,] | | (...) | +-- (AliasNameN) [AliasRid,] | +-- (AliasRid1) [Revision,SecurityDescriptor] | (...) +-- (AliasRidN) [Revision,SecurityDescriptor] | | +-- Members [DomainCount,] --+---- +-- (DomainSid1) [RidCount,] | -------+---- | +-- (AccountRid0) [AliasCount,(Alias0Rid, (...), AliasX-1Rid)] | | (...) | +-- (AccountRidY) [AliasCount,(Alias0Rid, (...), AliasX-1Rid)] | +-- (DomainSid2) [RidCount,] | ------------ | +-- (AccountRid0) [AliasCount,(Alias0Rid, (...), AliasX-1Rid)] | | (...) | +-- (AccountRidZ) [AliasCount,(Alias0Rid, (...), AliasX-1Rid)] . . . The structure under each (UserRid) is as follows: (UserRid) [Revision,SecurityDescriptor] +-- V1_Fixed [,SAMP_V1_FIXED_LENGTH_USER] +-- AccountName [,unicode string] +-- FullName [,unicode string] +-- AdminComment [,unicode string] +-- UserComment [,unicode string] +-- Parameters [,unicode string] +-- HomeDirectory [,unicode string] +-- HomeDirectoryDrive [,unicode string] +-- ScriptPath [,unicode string] +-- Workstations [,unicode string] +-- CaseInsensitiveDbcs [,dbcs string] +-- CaseSensitiveUnicode [,unicode string] +-- LmPasswordHistory [,unicode string] +-- NtPasswordHistory [,unicode string] +-- LogonHours [See Note On Logon Hours] +-- ProfilePath [,unicode string] +-- Groups [Count,(Group0Rid/Attributes, (...), GroupY-1Rid/Attributes)] The structure under each (GroupRid) is as follows: (GroupRid) [Revision,SecurityDescriptor] ---+----- +-- V1_Fixed [,SAM_V1_FIXED_LENGTH_GROUP] +-- Name [,Name] +-- AdminComment [,unicode string] +-- Members [Count,(Member0Rid, (...), MemberX-1Rid)] The structure under each (AliasRid) is as follows: (AliasRid) [Revision,SecurityDescriptor] ---+----- +-- V1_Fixed [,SAM_V1_FIXED_LENGTH_ADMIN] +-- Name [,Name] +-- AdminComment [,unicode string] +-- Members [Count,(Member0Sid, (...), MemberX-1Sid)] The structure under the Alias\Members key is used for looking up the aliases an SID is a member of (at logon time). These keys have the following description: - keyValueType of Alias\Members - This field contains a count of domains whose accounts are included as alias members. For example, if there are three aliases, and these aliases collectively have the following members: \MS\SYS\NTDEV\JIMK \MS\SYS\NTDEV\DAVEC \MS\SYS\NTDEV\CHADS \MS\SYS\NTPGM\BOBMU \MS\EXEC\BILLG \MS\EXEC\PAULMA \MS\EXEC\STEVEB then this represents accounts from 3 domains ("\MS\SYS\NTDEV", "\MS\SYS\NTPGM", and "\MS\EXEC"). So, the DomainCount would be three. - Each Alias\Members\(DomainSid) key - These each have a name representing the SID of the domains counted in the DomainCount. - Under each Alias\Members\(DomainSid) key - There is a single key for each account in that domain that is a member of an alias. The name of these keys are printable representations of their RIDs. The KeyValueType field of these keys contains a count of the aliases the SID is a member of. The KeyValue field contains an array of RIDs of the Aliases that the SID is a member of. =============================================================================== Logon Hours are stored as follows: The KeyValueType is used to store the UnitsPerWeek value. This value may not exceed SAM_MINUTES_PER_WEEK (10080). The actual bitmask of legitimate logon times is stored as the key value. The number of bytes stored is ((KeyValueType + 1) / 8). If there are no logon time restrictions, the key will have a KeyValueType of zero and there will be no KeyValue. REVISION HISTORY ---------------- Revision 1.0, 3-June-1991, Jim Kelly (JimK) - Initial implementation Revision 1.1, 4-Jan-1992, Jim Kelly (JimK) - Conversion to FlexAdmin model. - Added all Alias fields. Notice that the members of aliases are SIDs, not RIDs. This makes alias membership marshalling much more difficult than for Group objects. - Drop the following fields: (UserRid)/LogonServer - Added the following fields: (UserRid)/ProfilePath