Matthias, As per the processing logic in 3.1.4.7.10 in MS-LSAD, the caller to LsarCreateTrustedDomainEx2 or similar functions has to be a member of the Domain Admins group to access the policy handle. The requirement for the caller's control access right is also defined in the same section. The constraint you mentioned in MS-ADTS is for LDAP Add operation. The ERROR_DS_CANT_ADD_SYSTEM_ONLY means that it is not permitted to add the attribute which is owned by the system.
Please let me know if I understand your questions correctly and if you have more questions. Thanks! Hongwei -----Original Message----- From: Matthias Dieter Wallnöfer [mailto:[email protected]] Sent: Saturday, November 13, 2010 8:47 AM To: Interoperability Documentation Help Cc: [email protected] Subject: MS-LSAD 3.1.4.7.10-12 CreateTrustedDomain* question Hi dochelp people, the calls "CreateTrustedDomain*" allow to create trusted domain objects. Now the question is: what AD security user is used to create them? It is "SYSTEM"? Since otherwise we run into the following constraint (taken from MS-ADTS 3.1.1.5.2.2): > The structural objectClass is not a Local Security Authority > (LSA)-specific object class (section > 3.1.1.5.2.3). If it is, Add returns unwillingToPerform / > ERROR_DS_CANT_ADD_SYSTEM_ONLY. Thanks, Matthias Wallnöfer _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
