ADSI constants

; This file contains a list of constants commonly used with the ADSI extender.


; Meaning of bits in userFlags properties of a WinNT: and the userAccountControl property of a LDAP: namespaces' user object.
; Operating System = Windows NT 4.0 / Windows 2000
; Namespace        = WinNT, LDAP
; object class     = user
; properties         = userFlags (WinNT), userAccountControl (LDAP on Windows 2000)

;  The following used with both userFlags and  userAccountControl
UF_SCRIPT                     = 1        ; The logon script will be executed.
UF_ACCOUNTDISABLE             = 2        ; The user's account is disabled.
UF_HOMEDIR_REQUIRED           = 8        ; The home directory is required.
UF_LOCKOUT                    = 16       ; The account is currently locked out.
UF_PASSWD_NOTREQD             = 32       ; No password is required.
UF_PASSWD_CANT_CHANGE         = 64       ; The user cannot change the password. You can read this flag
                                         ; but you cannot set it directly.
UF_DONT_EXPIRE_PASSWD         = 65536    ; The password, which should never expire on the account.
UF_TEMP_DUPLICATE_ACCOUNT     = 256      ; This is an account for users whose primary account is in another domain.
                                         ; This account provides user access to this domain, but not to any domain
                                         ; that trusts this domain. Sometimes it is referred to as a local user account.
UF_NORMAL_ACCOUNT             = 512      ; This is a default account type that represents a typical user.
UF_INTERDOMAIN_TRUST_ACCOUNT  = 2048     ; This is a permit to trust account for a system domain that trusts other domains.
UF_WORKSTATION_TRUST_ACCOUNT  = 4096     ; This is a computer account that is a member of this domain.
UF_SERVER_TRUST_ACCOUNT       = 8192     ; This is a computer account for a system backup domain controller that is a member of this domain.

                                         ; The following used with userFlags only.
UF_ENCRYPTED_PASSWORD_ALLOWED = 128      ; The user can send an encrypted password.   (Windows 2000 only)
UF_MNS_LOGON_ACCOUNT          = 131072   ; This is an MNS logon account.
UF_SMARTCARD_REQUIRED         = 262144   ; When set, this flag will force the user to log on using smart card.  (Windows 2000 only)
UF_TRUSTED_FOR_DELEGATION     = 524288   ; When set, the service account (user or computer account), under which a service runs,
                                         ; is trusted for Kerberos delegation. Any such service can impersonate a client requesting
                                         ; the service. To enable a service for Kerberos delegation, you must set this flag on the
                                         ; userAccountControl property of the service account.  (Windows 2000 only)
UF_NOT_DELEGATED              = 1048576  ; When set, the security context of the user will not be delegated to a service even
                                         ; if the service account is set as trusted for Kerberos delegation


; Guid used to prevent a user from changing their password.
; Operating System  = Windows 2000
; Namespace         = LDAP:
; Object class      = user
; Property          = ntSecurityDescriptor
; Security object   = ACE
; Security Property = ObjectType

CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"


; Constant used it indicate that a user has unlimited disk storage rights.
; Operating System = Windows NT 4.0 / Windows 2000
; Namespace        = LDAP:
; object class     = user
; properties         = maxStorage

USER_MAXSTORAGE_UNLIMITED = -1  ; Use all available disk space.


; Meaning of bits in groupType property of a LDAP namespace's group object.
; Operating System = Windows 2000
; Namespace        = LDAP
; object class     = group
; properties         = groupType

GLOBAL_GROUP       = 2  ; Group that contains only accounts and other account groups from its own domain.
                        ; This group may be exported to a different domain.
DOMAIN_LOCAL_GROUP = 4  ; Group that can contain accounts and universal groups from any domains. It may
                        ; not be included in either access-control lists of resources in other domains or
                        ; groups other than global groups in the same domain.
LOCAL_GROUP        = 4  ; This bit is for the WinNT provider as the DOMAIN_LOCAL_GROUP bit is for the LDAP provider.
UNIVERSAL_GROUP    = 8  ; Group that can contain accounts and account groups from any domains, but not domain local groups.
SECURITY_ENABLED   = 2147483648  ; If this bit is set, the group is a security group. If this bit is not set, the group is a distribution group.


; The following values are for security objects all accessed through the ntSecurityDescriptor property.
; Some can also be used with the NT-Security-Descriptor property of a mailbox object

; Current revision of security descriptor .
; Operating System = Windows 2000
; Namespace        = LDAP
; Security object  = Security Descriptor
; Property         = Revision

ACL_REVISION       = 2
ACL_REVISION_DS    = 4   ; If the DACL contains an object-specific ACE you must use this.


; Current revision of Access Control List.
; Operating System = Windows 2000
; Namespace        = LDAP
; Security object  = Access Control List
; Property         = AclRevision

ACL_REVISION       = 2
ACL_REVISION_DS    = 4  ; If the ACL contains an object-specific ACE you must use this.


; Bit values associated with the Security Descriptor Control property.
; Operating System = Windows 2000
; Namespace        = LDAP
; Security object  = Security Descriptor
; Property         = Control

OWNER_DEFAULTED       = 1      ; A default mechanism, rather than the the original provider of the
                               ; security descriptor, provided the security descriptor's owner security identifier (SID).
GROUP_DEFAULTED       = 2      ; A default mechanism, rather than the the original provider of the security descriptor,
                               ; provided the security descriptor's group SID.
DACL_PRESENT          = 4      ; Indicates a security descriptor that has a DACL. If this flag is not set, or if this
                               ; flag is set and the DACL is NULL, the security descriptor allows full access to everyone.
DACL_DEFAULTED        = 8      ; Indicates a security descriptor with a default DACL. For example, if an
                               ; object's creator does not specify a DACL, the object receives the default DACL
                               ; from the creator's access token.
SACL_PRESENT          = 16     ; Indicates a security descriptor that has a DACL.  This flag is used to hold the
                               ; security information specified by a caller until the security descriptor is associated
                               ; with a securable object.
SACL_DEFAULTED        = 32     ; A default mechanism, rather than the the original provider of the security descriptor,
                               ; provided the SACL.
DACL_AUTO_INHERIT_REQ = 256    ; The DACL of the security descriptor must be inherited.
SACL_AUTO_INHERIT_REQ = 512    ; The SACL of the security descriptor must be inherited.
DACL_AUTO_INHERITED   = 1024   ; Indicates a security descriptor in which the DACL is set up
                               ; to support automatic propagation of inheritable ACEs to existing child objects.
SACL_AUTO_INHERITED   = 2048   ; The SACL of the security descriptor supports automatic propagation of inheritable
                               ; ACEs to existing child objects.
DACL_PROTECTED        = 4096   ; The security descriptor will not allow inheritable ACEs to modify the DACL.
SACL_PROTECTED        = 8192   ; The security descriptor will not allow inheritable ACEs to modify the SACL.
SELF_RELATIVE         = 32768  ; The security descriptor is of self-relative format with all the security information
                               ; in a continuous block of memory.


; Bit values associated with an Access Control Entry's AccessMask property.
; Operating System = Windows 2000
; Namespace        = LDAP
; Security object  = ACE
; Property         = AccessMask

DELETE                 = 65536       ; The right to delete the object.
READ_CONTROL           = 131072      ; The right to read information from the security descriptor of the object,
                                     ; not including the information in the SACL.
WRITE_DAC              = 262144      ; The right to modify the discretionary access-control list (DACL) in the
                                     ; object's security descriptor.
WRITE_OWNER            = 524288      ; The right to assume ownership of the object. The user must be a trustee
                                     ; of the object. The user cannot transfer the ownership to other users.
SYNCHRONIZE            = 1048576     ; The right to use the object for synchronization. This enables a thread
                                     ; to wait until the object is in the signaled state.
ACCESS_SYSTEM_SECURITY = 16777216    ; The right to get or set the SACL in the object's security descriptor.
GENERIC_READ           = 2147483648  ; The right to read from the security descriptor, examine the object as
                                     ; well as its children, and read all properties.
GENERIC_WRITE          = 1073741824  ; The right to write all the properties and write to the DACL. The user
                                     ; can add and remove the object to and from the directory.
GENERIC_EXECUTE        = 536870912   ; The right to list children of this object.
GENERIC_ALL            = 268435456   ; The right to create or delete children, delete a subtree, read and write
                                     ; properties, examine children and the object itself, add and remove the
                                     ; object from the directory, and read or write with an extended right.
DS_CREATE_CHILD        = 1           ; The right to create children of the object. The ObjectType member of an
                                     ; ACE can contain a GUID that identifies the type of child object whose
                                     ; creation is being controlled. If ObjectType does not contain a GUID, the
                                     ; ACE controls the creation of all child object types.
DS_DELETE_CHILD        = 2           ; The right to delete children of the object. The ObjectType member of an
                                     ; ACE can contain a GUID that identifies a type of child object whose
                                     ; deletion is being controlled. If ObjectType does not contain a GUID, the
                                     ; ACE controls the deletion of all child object types.
ACTRL_DS_LIST          = 4           ; The right to list children of this object.
DS_SELF                = 8           ; The right to modify the group membership of a group object.
DS_READ_PROP           = 16          ; The right to read properties of the object. The ObjectType member of an
                                     ; ACE can contain a GUID that identifies a property set or property. If
                                     ; ObjectType does not contain a GUID, the ACE controls the right to read
                                     ; all of the object's properties.
DS_WRITE_PROP          = 32          ; The right to write properties of the object. The ObjectType member of
                                     ; an ACE can contain a GUID that identifies a property set or property.
                                     ; If ObjectType does not contain a GUID, the ACE controls the right to
                                     ; write all of the object's properties.
DS_DELETE_TREE         = 64          ; The right to delete all children of this object, regardless of the
                                     ; permission on the children.
DS_LIST_OBJECT         = 128         ; The right to list a particular object. If the user is not granted such
                                     ; a right, the object is hidden from the user.
DS_CONTROL_ACCESS      = 256         ; The right to perform an operation controlled by an extended access right.
                                     ; The ObjectType member of an ACE can contain a GUID that identifies the
                                     ; extended right. If ObjectType does not contain a GUID, the ACE controls
                                     ; the right to perform all extended right operations associated with the object.

;************************************Exchange 5.5 only**********************************************
; The Exchange 5.5's mailbox security descriptor has different meanings for several AccessMask bits.
; Operating System = Windows 2000, NT 4.0
; Namespace        = LDAP
; Security object  = ACE
; Property         = AccessMask
EXCH_MODIFY_USER_ATT = 2   ; Modify User Attributes
EXCH_MAIL_SEND_AS    = 8   ; Send As
EXCH_MAIL_RECEIVE_AS = 16  ; Mailbox Owner

; The Exchange 5.5 secuirty descriptors for container objects have these bit values associated with
; their Access Control Entry's AccessMask property.
; Operating System = Windows 2000, NT 4.0
; Namespace        = LDAP
; Security object  = ACE
; Property         = AccessMask
RIGHT_DS_ADD_CHILD        = 1
RIGHT_DS_MODIFY_USER_ATT  = 2
RIGHT_DS_MODIFY_ADMIN_ATT = 4
RIGHT_DS_DELETE           = 65536
RIGHT_MAIL_SEND_AS        = 8
RIGHT_MAIL_RECEIVE_AS     = 16
RIGHT_MAIL_ADMIN_AS       = 32
RIGHT_DS_REPLICATION      = 64
RIGHT_DS_MODIFY_SEC_ATT   = 128
RIGHT_DS_SEARCH           = 256
;***********************************End Exchange 5.5 only*******************************************


; Values associated with an Access Control Entry's AceType property.
; Operating System = Windows 2000
; Namespace        = LDAP
; Security object  = ACE
; Property         = AceType

ACCESS_ALLOWED        = 0  ; The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and
                           ; InheritedOjectType fields are NULL.
ACCESS_DENIED         = 1  ; The ACE is of the standard ACCESS_DENIED type, where the ObjectType and
                           ; InheritedObjectType fields are NULL.
SYSTEM_AUDIT          = 2  ; The ACE is of the standard system type, where the ObjectType and
                           ; InheritedObjectType fields are NULL.
ACCESS_ALLOWED_OBJECT = 5  ; The ACE is of the ADSI extension of the ACCESS ALLOWED type, where either
                           ; ObjectType or InheritedObjectType or both contain a GUID.
ACCESS_DENIED_OBJECT  = 6  ; The ACE is of the ADSI extension of the ACCCESS_DENIED type, where either
                           ; ObjectType or InheritedObjectType or both contain a GUID.
SYSTEM_AUDIT_OBJECT   = 7  ; The ACE is of the ADSI extension of the system type, where either ObjectType
                           ; or InheritedObjectType or both contain a GUID.


; Bit values associated with an Access Control Entry's AceFlag property.
; Operating System = Windows 2000
; Namespace        = LDAP
; Security object  = ACE
; Property         = AceFlags

INHERIT_ACE              = 2    ; Child objects will inherit this access-control entry (ACE). The inherited
                                ; ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE flag is set.
NO_PROPAGATE_INHERIT_ACE = 4    ; ADSI will clear the INHERIT_ACE flag for the inherited ACEs of
                                ; child objects. This prevents the ACE from being inherited by subsequent
                                ; generations of objects.
INHERIT_ONLY_ACE         = 8    ; Indicates an inherit-only ACE that does not exercise access control on the
                                ; object to which it is attached. If this flag is not set, the ACE is an
                                ; effective ACE that exerts access control on the object to which it is attached.
INHERITED_ACE            = 16   ; Indicates whether or not the ACE was inherited. The system sets this bit.
VALID_INHERIT_FLAGS      = 31   ; Indicates whether the inherit flags are valid. The system sets this bit.
SUCCESSFUL_ACCESS        = 64   ; Generates audit messages for successful access attempts, used with ACEs that
                                ; audit the system in a system access-control list (SACL).
FAILED_ACCESS            = 128  ; Generates audit messages for failed access attempts, used with ACEs that audit
                                ; the system in a SACL.


; Bit values associated with an Access Control Entry's Flags  property.
; Operating System = Windows 2000
; Namespace        = LDAP
; Security object  = ACE
; Property         = Flags

OBJECT_TYPE_PRESENT           = 1  ; The ObjectType field is present in the ACE, but InheritedObjectType is not.
INHERITED_OBJECT_TYPE_PRESENT = 2  ; The InheritedObjectType field is present in the ACE, but ObjectType is not.

; Possible values for the Authentication method (3rd) parameter of the dsSetCredentx function.
; Use these values to control the
CLEAR_TEXT            = 0    ; Use basic authentication to bind to directory service objects.
SECURE_AUTHENTICATION = 1    ; Requests secure authentication. When this flag is set, the WinNT provider uses NTLM
                             ; to authenticate the client. Active Directory will use Kerberos, and possibly NTLM,
                             ; to authenticate the client. When the user name and password are NULL, the extender
                             ; binds to the object using the security context of the user account under which
                             ; WinBatch is running.
USE_ENCRYPTION        = 2    ; Use encryption for data exchange over the network.
USE_SSL               = 2    ; Data will be encrypted using SSL.
READONLY_SERVER       = 4    ; For a WinNT provider, the extender  tries to connect to a primary domain
                             ; controller (PDC) or a backup domain controller (BDC). For Active Directory, this
                             ; flag indicates that a writeable server is not required for a serverless binding.
PROMPT_CREDENTIALS    = 8    ; Not supported.
NO_AUTHENTICATION     = 16   ; The providers may attempt to bind the client to an object, as an anonymous user.
                             ; The WinNT provider does not support this flag.
FAST_BIND             = 32   ; This flag is not supported by the extender.
USE_SIGNING           = 64   ; Verifies data integrity to ensure the data received is the same as the data sent.
                             ; The SECURE_AUTHENTICATION flag must be set also.
USE_SEALING           = 128  ; Encrypts data using Kerberos. The SECURE_AUTHENTICATION flag must be set also.
USE_DELEGATION        = 256  ; Enables the extender to delegate the user's security context, which is necessary
                             ; for moving objects across domains.
SERVER_BIND           = 512  ; Windows 2000 SP1 and later: Specify this flag when using the LDAP provider if your
                             ; ADsPath includes a server name. Do not use this flag for paths that include a domain
                             ; name or for serverless paths. If you specify a server name without also specifying
                             ; this flag, unnecessary network traffic is the result.

; The SECURE_AUTHENTICATION flag can be used in combination with other flags such as READONLY_SERVER,
; PROMPT_CREDENTIALS, FAST_BIND, USE_SIGNING, USE_SEALING AND SERVER_BIND.