d2/dcb/dll_2win32_2samsrv_2security_8c_source.html

 /*
  * COPYRIGHT:       See COPYING in the top level directory
  * PROJECT:         Security Account Manager (SAM) Server
  * FILE:            reactos/dll/win32/samsrv/security.c
  * PURPOSE:         Security descriptor functions
  *
  * PROGRAMMERS:     Eric Kohl
  */

 #include "samsrv.h"

 /* GLOBALS *****************************************************************/

 static SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY};
 static SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};


 /* FUNCTIONS ***************************************************************/

 NTSTATUS
 SampCreateServerSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
                    OUT PULONG Size)
 {
     PSECURITY_DESCRIPTOR AbsSD = NULL;
     PSECURITY_DESCRIPTOR RelSD = NULL;
     PSID EveryoneSid = NULL;
     PSID AnonymousSid = NULL;
     PSID AdministratorsSid = NULL;
     PACL Dacl = NULL;
     PACL Sacl = NULL;
     ULONG DaclSize;
     ULONG SaclSize;
     ULONG RelSDSize = 0;
     NTSTATUS Status = STATUS_SUCCESS;


     /* Create the Everyone SID */
     Status = RtlAllocateAndInitializeSid(&WorldAuthority,
                                          1,
                                          SECURITY_WORLD_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Anonymous SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          1,
                                          SECURITY_ANONYMOUS_LOGON_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AnonymousSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Administrators SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_ADMINS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AdministratorsSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;


     /* Allocate a buffer for the absolute SD */
     AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             sizeof(SECURITY_DESCRIPTOR));
     if (AbsSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Create the absolute SD */
     Status = RtlCreateSecurityDescriptor(AbsSD,
                                          SECURITY_DESCRIPTOR_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the DACL */
     DaclSize = sizeof(ACL) +
                2 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AdministratorsSid);

     Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Dacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Dacl,
                           DaclSize,
                           ACL_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     SAM_SERVER_READ | SAM_SERVER_EXECUTE,
                                     EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     SAM_SERVER_ALL_ACCESS,
                                     AdministratorsSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the DACL */
     Status = RtlSetDaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Dacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the SACL */
     SaclSize = sizeof(ACL) +
                2 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AnonymousSid);

     Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Sacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Sacl,
                           SaclSize,
                           ACL_REVISION);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
                                   SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |
                                   SAM_SERVER_SHUTDOWN,
                                   EveryoneSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
                                   AnonymousSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the SACL */
     Status = RtlSetSaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Sacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the owner SID */
     Status = RtlSetOwnerSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the group SID */
     Status = RtlSetGroupSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Get the reqired buffer size for the self-relative SD */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          NULL,
                                          &RelSDSize);
     if (Status != STATUS_BUFFER_TOO_SMALL)
         goto done;

     /* Allocate a buffer for the self-relative SD */
     RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             RelSDSize);
     if (RelSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Convert the absolute SD to self-relative format */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          RelSD,
                                          &RelSDSize);
     if (Status == STATUS_BUFFER_TOO_SMALL)
     {
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     *ServerSd = RelSD;
     *Size = RelSDSize;

 done:
     if (!NT_SUCCESS(Status))
     {
         if (RelSD != NULL)
             RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
     }

     if (EveryoneSid != NULL)
         RtlFreeSid(EveryoneSid);

     if (AnonymousSid != NULL)
         RtlFreeSid(AnonymousSid);

     if (AdministratorsSid != NULL)
         RtlFreeSid(AdministratorsSid);

     if (Dacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);

     if (Sacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);

     if (AbsSD != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);

     return Status;
 }


 NTSTATUS
 SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
                           OUT PULONG Size)
 {
     PSECURITY_DESCRIPTOR AbsSD = NULL;
     PSECURITY_DESCRIPTOR RelSD = NULL;
     PSID EveryoneSid = NULL;
     PSID AnonymousSid = NULL;
     PSID AdministratorsSid = NULL;
     PACL Dacl = NULL;
     PACL Sacl = NULL;
     ULONG DaclSize;
     ULONG SaclSize;
     ULONG RelSDSize = 0;
     NTSTATUS Status = STATUS_SUCCESS;


     /* Create the Everyone SID */
     Status = RtlAllocateAndInitializeSid(&WorldAuthority,
                                          1,
                                          SECURITY_WORLD_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Anonymous SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          1,
                                          SECURITY_ANONYMOUS_LOGON_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AnonymousSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Administrators SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_ADMINS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AdministratorsSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;


     /* Allocate a buffer for the absolute SD */
     AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             sizeof(SECURITY_DESCRIPTOR));
     if (AbsSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Create the absolute SD */
     Status = RtlCreateSecurityDescriptor(AbsSD,
                                          SECURITY_DESCRIPTOR_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the DACL */
     DaclSize = sizeof(ACL) +
                2 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AdministratorsSid);

     Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Dacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Dacl,
                           DaclSize,
                           ACL_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     DOMAIN_READ | DOMAIN_EXECUTE,
                                     EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     SAM_SERVER_ALL_ACCESS,
                                     AdministratorsSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the DACL */
     Status = RtlSetDaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Dacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the SACL */
     SaclSize = sizeof(ACL) +
                2 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AnonymousSid);

     Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Sacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Sacl,
                           SaclSize,
                           ACL_REVISION);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
                                   SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |
                                   SAM_SERVER_SHUTDOWN,
                                   EveryoneSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
                                   AnonymousSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the SACL */
     Status = RtlSetSaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Sacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the owner SID */
     Status = RtlSetOwnerSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the group SID */
     Status = RtlSetGroupSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Get the reqired buffer size for the self-relative SD */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          NULL,
                                          &RelSDSize);
     if (Status != STATUS_BUFFER_TOO_SMALL)
         goto done;

     /* Allocate a buffer for the self-relative SD */
     RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             RelSDSize);
     if (RelSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Convert the absolute SD to self-relative format */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          RelSD,
                                          &RelSDSize);
     if (Status == STATUS_BUFFER_TOO_SMALL)
     {
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     *ServerSd = RelSD;
     *Size = RelSDSize;

 done:
     if (!NT_SUCCESS(Status))
     {
         if (RelSD != NULL)
             RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
     }

     if (EveryoneSid != NULL)
         RtlFreeSid(EveryoneSid);

     if (AnonymousSid != NULL)
         RtlFreeSid(AnonymousSid);

     if (AdministratorsSid != NULL)
         RtlFreeSid(AdministratorsSid);

     if (Dacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);

     if (Sacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);

     if (AbsSD != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);

     return Status;
 }


 NTSTATUS
 SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
                           OUT PULONG Size)
 {
     PSECURITY_DESCRIPTOR AbsSD = NULL;
     PSECURITY_DESCRIPTOR RelSD = NULL;
     PSID EveryoneSid = NULL;
     PSID AnonymousSid = NULL;
     PSID AdministratorsSid = NULL;
     PSID UsersSid = NULL;
     PSID GuestsSid = NULL;
     PACL Dacl = NULL;
     PACL Sacl = NULL;
     ULONG DaclSize;
     ULONG SaclSize;
     ULONG RelSDSize = 0;
     NTSTATUS Status = STATUS_SUCCESS;


     /* Create the Everyone SID */
     Status = RtlAllocateAndInitializeSid(&WorldAuthority,
                                          1,
                                          SECURITY_WORLD_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Anonymous SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          1,
                                          SECURITY_ANONYMOUS_LOGON_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AnonymousSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Administrators SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_ADMINS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AdministratorsSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Users SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_USERS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &UsersSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Guests SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_GUESTS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &GuestsSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;


     /* Allocate a buffer for the absolute SD */
     AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             sizeof(SECURITY_DESCRIPTOR));
     if (AbsSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Create the absolute SD */
     Status = RtlCreateSecurityDescriptor(AbsSD,
                                          SECURITY_DESCRIPTOR_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the DACL */
     DaclSize = sizeof(ACL) +
                4 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AdministratorsSid) +
                RtlLengthSid(UsersSid) +
                RtlLengthSid(GuestsSid);

     Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Dacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Dacl,
                           DaclSize,
                           ACL_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     DOMAIN_READ | DOMAIN_EXECUTE,
                                     EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     DOMAIN_READ | DOMAIN_EXECUTE,
                                     UsersSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     DOMAIN_ALL_ACCESS & ~DOMAIN_CREATE_GROUP,
                                     AdministratorsSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     DOMAIN_READ | DOMAIN_EXECUTE | DOMAIN_CREATE_USER | DOMAIN_CREATE_ALIAS,
                                     GuestsSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the DACL */
     Status = RtlSetDaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Dacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the SACL */
     SaclSize = sizeof(ACL) +
                2 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AnonymousSid);

     Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Sacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Sacl,
                           SaclSize,
                           ACL_REVISION);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
                                   SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |
                                   SAM_SERVER_SHUTDOWN,
                                   EveryoneSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
                                   AnonymousSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the SACL */
     Status = RtlSetSaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Sacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the owner SID */
     Status = RtlSetOwnerSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the group SID */
     Status = RtlSetGroupSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Get the reqired buffer size for the self-relative SD */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          NULL,
                                          &RelSDSize);
     if (Status != STATUS_BUFFER_TOO_SMALL)
         goto done;

     /* Allocate a buffer for the self-relative SD */
     RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             RelSDSize);
     if (RelSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Convert the absolute SD to self-relative format */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          RelSD,
                                          &RelSDSize);
     if (Status == STATUS_BUFFER_TOO_SMALL)
     {
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     *ServerSd = RelSD;
     *Size = RelSDSize;

 done:
     if (!NT_SUCCESS(Status))
     {
         if (RelSD != NULL)
             RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
     }

     if (EveryoneSid != NULL)
         RtlFreeSid(EveryoneSid);

     if (AnonymousSid != NULL)
         RtlFreeSid(AnonymousSid);

     if (AdministratorsSid != NULL)
         RtlFreeSid(AdministratorsSid);

     if (Dacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);

     if (Sacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);

     if (AbsSD != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);

     return Status;
 }


 NTSTATUS
 SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd,
                   OUT PULONG Size)
 {
     PSECURITY_DESCRIPTOR AbsSD = NULL;
     PSECURITY_DESCRIPTOR RelSD = NULL;
     PSID EveryoneSid = NULL;
     PSID AnonymousSid = NULL;
     PSID AdministratorsSid = NULL;
     PSID AccountOperatorsSid = NULL;
     PACL Dacl = NULL;
     PACL Sacl = NULL;
     ULONG DaclSize;
     ULONG SaclSize;
     ULONG RelSDSize = 0;
     NTSTATUS Status = STATUS_SUCCESS;


     /* Create the Everyone SID */
     Status = RtlAllocateAndInitializeSid(&WorldAuthority,
                                          1,
                                          SECURITY_WORLD_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Anonymous SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          1,
                                          SECURITY_ANONYMOUS_LOGON_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AnonymousSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Administrators SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_ADMINS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AdministratorsSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Account Operators SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_ACCOUNT_OPS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AccountOperatorsSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Allocate a buffer for the absolute SD */
     AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             sizeof(SECURITY_DESCRIPTOR));
     if (AbsSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Create the absolute SD */
     Status = RtlCreateSecurityDescriptor(AbsSD,
                                          SECURITY_DESCRIPTOR_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the DACL */
     DaclSize = sizeof(ACL) +
                3 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AdministratorsSid) +
                RtlLengthSid(AccountOperatorsSid);

     Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Dacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Dacl,
                           DaclSize,
                           ACL_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     READ_CONTROL | ALIAS_READ_INFORMATION | ALIAS_LIST_MEMBERS,
                                     EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     ALIAS_ALL_ACCESS,
                                     AdministratorsSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     ALIAS_ALL_ACCESS,
                                     AccountOperatorsSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the DACL */
     Status = RtlSetDaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Dacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the SACL */
     SaclSize = sizeof(ACL) +
                2 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AnonymousSid);

     Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Sacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Sacl,
                           SaclSize,
                           ACL_REVISION);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
                                   ALIAS_WRITE_ACCOUNT | ALIAS_REMOVE_MEMBER |
                                   ALIAS_ADD_MEMBER,
                                   EveryoneSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
                                   AnonymousSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the SACL */
     Status = RtlSetSaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Sacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the owner SID */
     Status = RtlSetOwnerSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the group SID */
     Status = RtlSetGroupSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Get the reqired buffer size for the self-relative SD */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          NULL,
                                          &RelSDSize);
     if (Status != STATUS_BUFFER_TOO_SMALL)
         goto done;

     /* Allocate a buffer for the self-relative SD */
     RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             RelSDSize);
     if (RelSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Convert the absolute SD to self-relative format */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          RelSD,
                                          &RelSDSize);
     if (Status == STATUS_BUFFER_TOO_SMALL)
     {
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     *AliasSd = RelSD;
     *Size = RelSDSize;

 done:
     if (!NT_SUCCESS(Status))
     {
         if (RelSD != NULL)
             RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
     }

     if (EveryoneSid != NULL)
         RtlFreeSid(EveryoneSid);

     if (AnonymousSid != NULL)
         RtlFreeSid(AnonymousSid);

     if (AdministratorsSid != NULL)
         RtlFreeSid(AdministratorsSid);

     if (Dacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);

     if (Sacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);

     if (AbsSD != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);

     return Status;
 }


 NTSTATUS
 SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR *GroupSd,
                   OUT PULONG Size)
 {
     PSECURITY_DESCRIPTOR AbsSD = NULL;
     PSECURITY_DESCRIPTOR RelSD = NULL;
     PSID EveryoneSid = NULL;
     PSID AnonymousSid = NULL;
     PSID AdministratorsSid = NULL;
     PSID AccountOperatorsSid = NULL;
     PACL Dacl = NULL;
     PACL Sacl = NULL;
     ULONG DaclSize;
     ULONG SaclSize;
     ULONG RelSDSize = 0;
     NTSTATUS Status = STATUS_SUCCESS;


     /* Create the Everyone SID */
     Status = RtlAllocateAndInitializeSid(&WorldAuthority,
                                          1,
                                          SECURITY_WORLD_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Anonymous SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          1,
                                          SECURITY_ANONYMOUS_LOGON_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AnonymousSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Administrators SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_ADMINS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AdministratorsSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Account Operators SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_ACCOUNT_OPS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AccountOperatorsSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Allocate a buffer for the absolute SD */
     AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             sizeof(SECURITY_DESCRIPTOR));
     if (AbsSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Create the absolute SD */
     Status = RtlCreateSecurityDescriptor(AbsSD,
                                          SECURITY_DESCRIPTOR_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the DACL */
     DaclSize = sizeof(ACL) +
                3 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AdministratorsSid) +
                RtlLengthSid(AccountOperatorsSid);

     Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Dacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Dacl,
                           DaclSize,
                           ACL_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     READ_CONTROL | GROUP_LIST_MEMBERS | GROUP_READ_INFORMATION,
                                     EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     GROUP_ALL_ACCESS,
                                     AdministratorsSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     GROUP_ALL_ACCESS,
                                     AccountOperatorsSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the DACL */
     Status = RtlSetDaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Dacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the SACL */
     SaclSize = sizeof(ACL) +
                2 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AnonymousSid);

     Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Sacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Sacl,
                           SaclSize,
                           ACL_REVISION);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
                                   GROUP_REMOVE_MEMBER | GROUP_ADD_MEMBER |
                                   GROUP_WRITE_ACCOUNT,
                                   EveryoneSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
                                   AnonymousSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the SACL */
     Status = RtlSetSaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Sacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the owner SID */
     Status = RtlSetOwnerSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the group SID */
     Status = RtlSetGroupSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Get the reqired buffer size for the self-relative SD */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          NULL,
                                          &RelSDSize);
     if (Status != STATUS_BUFFER_TOO_SMALL)
         goto done;

     /* Allocate a buffer for the self-relative SD */
     RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             RelSDSize);
     if (RelSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Convert the absolute SD to self-relative format */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          RelSD,
                                          &RelSDSize);
     if (Status == STATUS_BUFFER_TOO_SMALL)
     {
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     *GroupSd = RelSD;
     *Size = RelSDSize;

 done:
     if (!NT_SUCCESS(Status))
     {
         if (RelSD != NULL)
             RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
     }

     if (EveryoneSid != NULL)
         RtlFreeSid(EveryoneSid);

     if (AnonymousSid != NULL)
         RtlFreeSid(AnonymousSid);

     if (AdministratorsSid != NULL)
         RtlFreeSid(AdministratorsSid);

     if (Dacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);

     if (Sacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);

     if (AbsSD != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);

     return Status;
 }


 NTSTATUS
 SampCreateUserSD(IN PSID UserSid,
                  OUT PSECURITY_DESCRIPTOR *UserSd,
                  OUT PULONG Size)
 {
     PSECURITY_DESCRIPTOR AbsSD = NULL;
     PSECURITY_DESCRIPTOR RelSD = NULL;
     PSID EveryoneSid = NULL;
     PSID AnonymousSid = NULL;
     PSID AdministratorsSid = NULL;
     PACL Dacl = NULL;
     PACL Sacl = NULL;
     ULONG DaclSize;
     ULONG SaclSize;
     ULONG RelSDSize = 0;
     NTSTATUS Status = STATUS_SUCCESS;


     /* Create the Everyone SID */
     Status = RtlAllocateAndInitializeSid(&WorldAuthority,
                                          1,
                                          SECURITY_WORLD_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Anonymous SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          1,
                                          SECURITY_ANONYMOUS_LOGON_RID,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AnonymousSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Create the Administrators SID */
     Status = RtlAllocateAndInitializeSid(&NtAuthority,
                                          2,
                                          SECURITY_BUILTIN_DOMAIN_RID,
                                          DOMAIN_ALIAS_RID_ADMINS,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          0,
                                          &AdministratorsSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* Allocate a buffer for the absolute SD */
     AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             sizeof(SECURITY_DESCRIPTOR));
     if (AbsSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Create the absolute SD */
     Status = RtlCreateSecurityDescriptor(AbsSD,
                                          SECURITY_DESCRIPTOR_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the DACL */
     DaclSize = sizeof(ACL) +
                3 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AdministratorsSid) +
                RtlLengthSid(UserSid);

     Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Dacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Dacl,
                           DaclSize,
                           ACL_REVISION);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     READ_CONTROL | USER_READ_GROUP_INFORMATION | USER_LIST_GROUPS |
                                     USER_CHANGE_PASSWORD | USER_READ_ACCOUNT | USER_READ_LOGON |
                                     USER_READ_PREFERENCES | USER_READ_GENERAL,
                                     EveryoneSid);
     ASSERT(NT_SUCCESS(Status));
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     USER_ALL_ACCESS,
                                     AdministratorsSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     READ_CONTROL | USER_CHANGE_PASSWORD | USER_WRITE_PREFERENCES,
                                     UserSid);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the DACL */
     Status = RtlSetDaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Dacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* allocate and create the SACL */
     SaclSize = sizeof(ACL) +
                2 * sizeof(ACE) +
                RtlLengthSid(EveryoneSid) +
                RtlLengthSid(AnonymousSid);

     Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
                            HEAP_ZERO_MEMORY,
                            DaclSize);
     if (Sacl == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     Status = RtlCreateAcl(Sacl,
                           SaclSize,
                           ACL_REVISION);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
                                   USER_CHANGE_PASSWORD | USER_WRITE_PREFERENCES,
                                   EveryoneSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     Status = RtlAddAuditAccessAce(Sacl,
                                   ACL_REVISION,
                                   STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
                                   AnonymousSid,
                                   TRUE,
                                   TRUE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the SACL */
     Status = RtlSetSaclSecurityDescriptor(AbsSD,
                                           TRUE,
                                           Sacl,
                                           FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the owner SID */
     Status = RtlSetOwnerSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Set the group SID */
     Status = RtlSetGroupSecurityDescriptor(AbsSD,
                                            AdministratorsSid,
                                            FALSE);
     ASSERT(Status == STATUS_SUCCESS);
     if (!NT_SUCCESS(Status))
         goto done;

     /* Get the reqired buffer size for the self-relative SD */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          NULL,
                                          &RelSDSize);
     if (Status != STATUS_BUFFER_TOO_SMALL)
         goto done;

     /* Allocate a buffer for the self-relative SD */
     RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
                             HEAP_ZERO_MEMORY,
                             RelSDSize);
     if (RelSD == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     /* Convert the absolute SD to self-relative format */
     Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
                                          RelSD,
                                          &RelSDSize);
     if (Status == STATUS_BUFFER_TOO_SMALL)
     {
     ASSERT(Status == STATUS_SUCCESS);
         goto done;
     }

     *UserSd = RelSD;
     *Size = RelSDSize;

 done:
     if (!NT_SUCCESS(Status))
     {
         if (RelSD != NULL)
             RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
     }

     if (EveryoneSid != NULL)
         RtlFreeSid(EveryoneSid);

     if (AnonymousSid != NULL)
         RtlFreeSid(AnonymousSid);

     if (AdministratorsSid != NULL)
         RtlFreeSid(AdministratorsSid);

     if (Dacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);

     if (Sacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);

     if (AbsSD != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);

     return Status;
 }

 /* EOF */
GROUP_WRITE_ACCOUNT
#define GROUP_WRITE_ACCOUNT
Definition: ntsam.h:76

_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301

GROUP_ADD_MEMBER
#define GROUP_ADD_MEMBER
Definition: ntsam.h:77

IN
#define IN
Definition: typedefs.h:39

SAM_SERVER_READ
#define SAM_SERVER_READ
Definition: ntsam.h:106

DOMAIN_ALIAS_RID_GUESTS
#define DOMAIN_ALIAS_RID_GUESTS
Definition: setypes.h:654

STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158

RtlSetGroupSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410

_SID
Definition: ms-dtyp.idl:198

ACCESS_SYSTEM_SECURITY
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77

SAM_SERVER_INITIALIZE
#define SAM_SERVER_INITIALIZE
Definition: ntsam.h:101

TRUE
#define TRUE
Definition: types.h:120

_ACL
Definition: ms-dtyp.idl:293

DOMAIN_ALIAS_RID_ACCOUNT_OPS
#define DOMAIN_ALIAS_RID_ACCOUNT_OPS
Definition: setypes.h:657

RtlFreeSid
NTSYSAPI PVOID NTAPI RtlFreeSid(_In_ _Post_invalid_ PSID Sid)

NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26

WorldAuthority
static SID_IDENTIFIER_AUTHORITY WorldAuthority
Definition: security.c:14

RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606

Size
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:361

RtlSetOwnerSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)

RtlCreateSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)

SAM_SERVER_EXECUTE
#define SAM_SERVER_EXECUTE
Definition: ntsam.h:114

RtlAddAccessAllowedAce
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)

RtlSetDaclSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)

ALIAS_REMOVE_MEMBER
#define ALIAS_REMOVE_MEMBER
Definition: ntsam.h:10

RtlAllocateAndInitializeSid
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290

SampCreateGroupSD
NTSTATUS SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR *GroupSd, OUT PULONG Size)
Definition: security.c:1146

STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69

RtlCreateAcl
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)

SECURITY_DESCRIPTOR_REVISION
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58

NtAuthority
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:15

SAM_SERVER_CREATE_DOMAIN
#define SAM_SERVER_CREATE_DOMAIN
Definition: ntsam.h:102

USER_READ_GENERAL
#define USER_READ_GENERAL
Definition: ntsam.h:126

FALSE
#define FALSE
Definition: types.h:117

RtlAbsoluteToSelfRelativeSD
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626

ACL
struct _ACL ACL

GROUP_READ_INFORMATION
#define GROUP_READ_INFORMATION
Definition: ntsam.h:75

ALIAS_WRITE_ACCOUNT
#define ALIAS_WRITE_ACCOUNT
Definition: ntsam.h:13

SaclSize
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG SaclSize
Definition: rtlfuncs.h:1581

RtlLengthSid
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150

RtlSetSaclSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
Definition: sd.c:342

USER_LIST_GROUPS
#define USER_LIST_GROUPS
Definition: ntsam.h:134

USER_WRITE_PREFERENCES
#define USER_WRITE_PREFERENCES
Definition: ntsam.h:128

SECURITY_NT_AUTHORITY
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:554

RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588

ALIAS_LIST_MEMBERS
#define ALIAS_LIST_MEMBERS
Definition: ntsam.h:11

Status
Status
Definition: gdiplustypes.h:24

DOMAIN_CREATE_ALIAS
#define DOMAIN_CREATE_ALIAS
Definition: ntsam.h:39

USER_READ_GROUP_INFORMATION
#define USER_READ_GROUP_INFORMATION
Definition: ntsam.h:135

SECURITY_BUILTIN_DOMAIN_RID
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581

ASSERT
#define ASSERT(a)
Definition: mode.c:44

NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32

USER_READ_ACCOUNT
#define USER_READ_ACCOUNT
Definition: ntsam.h:130

SAM_SERVER_ALL_ACCESS
#define SAM_SERVER_ALL_ACCESS
Definition: ntsam.h:118

SECURITY_WORLD_SID_AUTHORITY
#define SECURITY_WORLD_SID_AUTHORITY
Definition: setypes.h:527

DOMAIN_READ
#define DOMAIN_READ
Definition: ntsam.h:45

WRITE_DAC
#define WRITE_DAC
Definition: nt_native.h:59

SPECIFIC_RIGHTS_ALL
#define SPECIFIC_RIGHTS_ALL
Definition: nt_native.h:71

USER_ALL_ACCESS
#define USER_ALL_ACCESS
Definition: ntsam.h:153

DOMAIN_CREATE_USER
#define DOMAIN_CREATE_USER
Definition: ntsam.h:37

SECURITY_WORLD_RID
#define SECURITY_WORLD_RID
Definition: setypes.h:541

SECURITY_ANONYMOUS_LOGON_RID
#define SECURITY_ANONYMOUS_LOGON_RID
Definition: setypes.h:563

READ_CONTROL
#define READ_CONTROL
Definition: nt_native.h:58

GROUP_REMOVE_MEMBER
#define GROUP_REMOVE_MEMBER
Definition: ntsam.h:78

Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1579

ALIAS_ALL_ACCESS
#define ALIAS_ALL_ACCESS
Definition: ntsam.h:26

SampCreateAccountDomainSD
NTSTATUS SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd, OUT PULONG Size)
Definition: security.c:545

GROUP_ALL_ACCESS
#define GROUP_ALL_ACCESS
Definition: ntsam.h:92

_SID_IDENTIFIER_AUTHORITY
Definition: ms-dtyp.idl:194

DOMAIN_EXECUTE
#define DOMAIN_EXECUTE
Definition: ntsam.h:57

RtlAddAuditAccessAce
NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)

STANDARD_RIGHTS_ALL
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69

SampCreateBuiltinDomainSD
NTSTATUS SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd, OUT PULONG Size)
Definition: security.c:283

DOMAIN_ALIAS_RID_USERS
#define DOMAIN_ALIAS_RID_USERS
Definition: setypes.h:653

PULONG
unsigned int * PULONG
Definition: retypes.h:1

NULL
#define NULL
Definition: types.h:112

HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:134

USER_READ_PREFERENCES
#define USER_READ_PREFERENCES
Definition: ntsam.h:127

SampCreateAliasSD
NTSTATUS SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd, OUT PULONG Size)
Definition: security.c:859

DaclSize
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1579

ACL_REVISION
#define ACL_REVISION
Definition: setypes.h:39

OUT
#define OUT
Definition: typedefs.h:40

ULONG
unsigned int ULONG
Definition: retypes.h:1

Sacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1581

GROUP_LIST_MEMBERS
#define GROUP_LIST_MEMBERS
Definition: ntsam.h:79

ALIAS_ADD_MEMBER
#define ALIAS_ADD_MEMBER
Definition: ntsam.h:9

STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65

SAM_SERVER_SHUTDOWN
#define SAM_SERVER_SHUTDOWN
Definition: ntsam.h:100

SampCreateUserSD
NTSTATUS SampCreateUserSD(IN PSID UserSid, OUT PSECURITY_DESCRIPTOR *UserSd, OUT PULONG Size)
Definition: security.c:1433

DOMAIN_ALIAS_RID_ADMINS
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652

DOMAIN_ALL_ACCESS
#define DOMAIN_ALL_ACCESS
Definition: ntsam.h:62

USER_READ_LOGON
#define USER_READ_LOGON
Definition: ntsam.h:129

samsrv.h

ALIAS_READ_INFORMATION
#define ALIAS_READ_INFORMATION
Definition: ntsam.h:12

_ACE
Definition: rtltypes.h:992

DOMAIN_CREATE_GROUP
#define DOMAIN_CREATE_GROUP
Definition: ntsam.h:38

SampCreateServerSD
NTSTATUS SampCreateServerSD(OUT PSECURITY_DESCRIPTOR *ServerSd, OUT PULONG Size)
Definition: security.c:21

DELETE
#define DELETE
Definition: nt_native.h:57

USER_CHANGE_PASSWORD
#define USER_CHANGE_PASSWORD
Definition: ntsam.h:132