Documentation
¶
Index ¶
Constants ¶
View Source
const ( RID_DOMAIN_USER_KRBTGT = 0x000001F6 RID_DOMAIN_USER_ADMIN = 0x000001F4 RID_DOMAIN_USER_GUEST = 0x000001F5 RID_DOMAIN_GROUP_ADMINS = 0x00000200 RID_DOMAIN_GROUP_USERS = 0x00000201 RID_DOMAIN_GROUP_GUESTS = 0x00000202 RID_DOMAIN_GROUP_COMPUTERS = 0x00000203 RID_DOMAIN_GROUP_CONTROLLERS = 0x00000204 RID_DOMAIN_GROUP_CERT_PUBLISHERS = 0x00000205 RID_DOMAIN_GROUP_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS = 0x000001F2 RID_DOMAIN_GROUP_SCHEMA_ADMINS = 0x00000206 RID_DOMAIN_GROUP_ENTERPRISE_ADMINS = 0x00000207 RID_DOMAIN_GROUP_POLICY_ADMINS = 0x00000208 RID_DOMAIN_GROUP_READONLY_CONTROLLERS = 0x00000209 RID_DOMAIN_GROUP_CLONEABLE_CONTROLLERS = 0x0000020A RID_DOMAIN_GROUP_CDC_RESERVED = 0x0000020C RID_DOMAIN_GROUP_PROTECTED_USERS = 0x0000020D RID_DOMAIN_GROUP_KEY_ADMINS = 0x0000020E RID_DOMAIN_GROUP_ENTERPRISE_KEY_ADMINS = 0x0000020F RID_DOMAIN_GROUP_DENIED_RODC_PASSWORD_REPLICATION = 0x0000023C RID_DOMAIN_GROUP_ALIAS_CERTSVC_DCOM_ACCESS = 0x0000023E )
Predefined RIDs Src: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/565a6584-3061-4ede-a531-f5c53826504b
View Source
const ( RID_LOCAL_ADMINS = 0x00000220 RID_LOCAL_USERS = 0x00000221 RID_LOCAL_GUESTS = 0x00000222 RID_LOCAL_POWER_USERS = 0x00000223 RID_LOCAL_ACCOUNT_OPS = 0x00000224 RID_LOCAL_SERVER_OPS = 0x00000225 RID_LOCAL_PRINT_OPS = 0x00000226 RID_LOCAL_BACKUP_OPS = 0x00000227 RID_LOCAL_REPLICATOR = 0x00000228 RID_LOCAL_RAS_SERVERS = 0x00000229 RID_LOCAL_PREW2KCOMPACCESS = 0x0000022A RID_LOCAL_REMOTE_DESKTOP_USERS = 0x0000022B RID_LOCAL_NETWORK_CONFIGURATION_OPS = 0x0000022C RID_LOCAL_INCOMING_FOREST_TRUST_BUILDERS = 0x0000022D RID_LOCAL_MONITORING_USERS = 0x0000022E RID_LOCAL_LOGGING_USERS = 0x0000022F RID_LOCAL_AUTHORIZATIONACCESS = 0x00000230 RID_LOCAL_TS_LICENSE_SERVERS = 0x00000231 RID_LOCAL_DCOM_USERS = 0x00000232 RID_LOCAL_IUSERS = 0x00000238 RID_LOCAL_CRYPTO_OPERATORS = 0x00000239 RID_LOCAL_CACHEABLE_PRINCIPALS_GROUP = 0x0000023B RID_LOCAL_NON_CACHEABLE_PRINCIPALS_GROUP = 0x0000023C RID_LOCAL_EVENT_LOG_READERS_GROUP = 0x0000023D RID_LOCAL_CERTSVC_DCOM_ACCESS_GROUP = 0x0000023E RID_LOCAL_RDS_REMOTE_ACCESS_SERVERS = 0x0000023F RID_LOCAL_RDS_ENDPOINT_SERVERS = 0x00000240 RID_LOCAL_RDS_MANAGEMENT_SERVERS = 0x00000241 RID_LOCAL_HYPER_V_ADMINS = 0x00000242 RID_LOCAL_ACCESS_CONTROL_ASSISTANCE_OPS = 0x00000243 RID_LOCAL_REMOTE_MANAGEMENT_USERS = 0x00000244 RID_LOCAL_DEFAULT_ACCOUNT = 0x00000245 RID_LOCAL_STORAGE_REPLICA_ADMINS = 0x00000246 RID_LOCAL_DEVICE_OWNERS = 0x00000247 )
Local RID Src: https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
View Source
const ( // Microsoft EKU OIDs EKU_CLIENT_AUTHENTICATION = "1.3.6.1.5.5.7.3.2" EKU_SERVER_AUTHENTICATION = "1.3.6.1.5.5.7.3.1" EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3" EKU_EMAIL_PROTECTION = "1.3.6.1.5.5.7.3.4" EKU_TIME_STAMPING = "1.3.6.1.5.5.7.3.8" EKU_OCSP_SIGNING = "1.3.6.1.5.5.7.3.9" EKU_IPSEC_END_SYSTEM = "1.3.6.1.5.5.7.3.5" EKU_IPSEC_TUNNEL = "1.3.6.1.5.5.7.3.6" EKU_IPSEC_USER = "1.3.6.1.5.5.7.3.7" EKU_ANY = "2.5.29.37.0" EKU_CERTIFICATE_REQUEST_AGENT = "1.3.6.1.4.1.311.20.2.1" EKU_SMART_CARD_LOGON = "1.3.6.1.4.1.311.20.2.2" EKU_DS_EMAIL_REPLICATION = "1.3.6.1.4.1.311.21.19" EKU_KDC_AUTHENTICATION = "1.3.6.1.5.2.3.5" EKU_FILE_RECOVERY = "1.3.6.1.4.1.311.10.3.4" EKU_QUALIFIED_SUBORDINATION = "1.3.6.1.4.1.311.10.3.10" EKU_KEY_RECOVERY_AGENT = "1.3.6.1.4.1.311.21.6" EKU_CA_EXCHANGE = "1.3.6.1.4.1.311.21.5" EKU_LIFETIME_SIGNING = "1.3.6.1.4.1.311.10.3.13" EKU_DOCUMENT_SIGNING = "1.3.6.1.4.1.311.10.3.12" EKU_KEY_PACK_LICENSES = "1.3.6.1.4.1.311.10.6.2" EKU_KEY_PACK_SILENT_USER = "1.3.6.1.4.1.311.10.6.1" )
We need to check if they are real
View Source
const ( // Reserved. All protocols MUST ignore this flag. ENROLLMENT_FLAG_ADD_EMAIL = 0x00000002 // Reserved. All protocols MUST ignore this flag. ENROLLMENT_FLAG_PUBLISH_TO_DS = 0x00000008 // Reserved. All protocols MUST ignore this flag. ENROLLMENT_FLAG_EXPORTABLE_KEY = 0x00000010 // This flag is the same as CT_FLAG_AUTO_ENROLLMENT. Indicates that auto-enrollment is enabled for this certificate template. ENROLLMENT_FLAG_AUTO_ENROLLMENT = 0x00000020 // This flag indicates that this certificate template is for an end entity that represents a machine. ENROLLMENT_FLAG_MACHINE_TYPE = 0x00000040 // This flag indicates a certificate request for a CA certificate. ENROLLMENT_FLAG_IS_CA = 0x00000080 // This flag indicates that a certificate based on this section needs to include a template name certificate extension. ENROLLMENT_FLAG_ADD_TEMPLATE_NAME = 0x00000200 // This flag indicates a certificate request for cross-certifying a certificate. Processing rules are specified in [MS-WCCE]. ENROLLMENT_FLAG_IS_CROSS_CA = 0x00000800 // This flag indicates that the record of a certificate request for a certificate that is issued need not be persisted by the CA. ENROLLMENT_FLAG_DONOTPERSISTINDB = 0x00001000 // This flag indicates that the template SHOULD not be modified in any way; it is not used by the client or server in the Windows Client Certificate Enrollment Protocol. ENROLLMENT_FLAG_IS_DEFAULT = 0x00010000 // This flag indicates that the template MAY be modified if required; it is not used by the client or server in the Windows Client Certificate Enrollment Protocol. ENROLLMENT_FLAG_IS_MODIFIED = 0x00020000 )
General Enrollment Flags Src: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/6cc7eb79-3e84-477a-b398-b0ff2b68a6c0
View Source
const ( MSPKI_CERTIFICATE_NAME_FLAG_ENROLLEE_SUPPLIES_SUBJECT = 0x00000001 MSPKI_CERTIFICATE_NAME_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME = 0x00010000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS = 0x00400000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_ALT_REQUIRE_SPN = 0x00800000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID = 0x01000000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_ALT_REQUIRE_UPN = 0x02000000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_ALT_REQUIRE_EMAIL = 0x04000000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_ALT_REQUIRE_DNS = 0x08000000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_REQUIRE_DNS_AS_CN = 0x10000000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_REQUIRE_EMAIL = 0x20000000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_REQUIRE_COMMON_NAME = 0x40000000 MSPKI_CERTIFICATE_NAME_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH = 0x80000000 MSPKI_CERTIFICATE_NAME_FLAG_OLD_CERT_SUPPLIES_SUBJECT_AND_ALT_NAME = 0x00000008 )
msPKI-Certificate-Name-Flag Attribute Src: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/1192823c-d839-4bc3-9b6b-fa8c53507ae1
View Source
const ( // CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS // This flag instructs the client and server to include a Secure/Multipurpose Internet Mail Extensions (S/MIME) // certificate extension, as specified in [RFC4262], in the request and in the issued certificate. MSPKI_ENROLLMENT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS = 0x00000001 // CT_FLAG_PEND_ALL_REQUESTS // This flag instructs the CA to put all requests in a pending state. MSPKI_ENROLLMENT_FLAG_PEND_ALL_REQUESTS = 0x00000002 // CT_FLAG_PUBLISH_TO_KRA_CONTAINER // This flag instructs the CA to publish the issued certificate to the key recovery agent (KRA) container // in Active Directory, as specified in [MS-ADTS]. MSPKI_ENROLLMENT_FLAG_PUBLISH_TO_KRA_CONTAINER = 0x00000004 // CT_FLAG_PUBLISH_TO_DS // This flag instructs CA servers to append the issued certificate to the userCertificate attribute, // as specified in [RFC4523], on the user object in Active Directory. The server processing rules for // this flag are specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6. MSPKI_ENROLLMENT_FLAG_PUBLISH_TO_DS = 0x00000008 // CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE // This flag instructs clients not to do autoenrollment for a certificate based on this template if the // user's userCertificate attribute (specified in [RFC4523]) in Active Directory has a valid certificate // based on the same template. MSPKI_ENROLLMENT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE = 0x00000010 // CT_FLAG_AUTO_ENROLLMENT // This flag instructs clients to perform autoenrollment for the specified template. MSPKI_ENROLLMENT_FLAG_AUTO_ENROLLMENT = 0x00000020 // CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT // This flag instructs clients to sign the renewal request using the private key of the existing certificate. // For more information, see [MS-WCCE] section 3.2.2.6.2.1.4.5.6. This flag also instructs the CA to process // the renewal requests as specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6. MSPKI_ENROLLMENT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT = 0x00000040 // CT_FLAG_USER_INTERACTION_REQUIRED // This flag instructs the client to obtain user consent before attempting to enroll for a certificate // that is based on the specified template. MSPKI_ENROLLMENT_FLAG_USER_INTERACTION_REQUIRED = 0x00000100 // CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE // This flag instructs the autoenrollment client to delete any certificates that are no longer needed // based on the specific template from the local certificate storage. For information about autoenrollment // and the local certificate storage, see [MS-CERSOD] section 2.1.2.2.2. MSPKI_ENROLLMENT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE = 0x00000400 // CT_FLAG_ALLOW_ENROLL_ON_BEHALF_OF // This flag instructs the server to allow enroll on behalf of (EOBO) functionality. MSPKI_ENROLLMENT_FLAG_ALLOW_ENROLL_ON_BEHALF_OF = 0x00000800 // CT_FLAG_ADD_OCSP_NOCHECK // This flag instructs the server to not include revocation information and add the id-pkix-ocsp-nocheck // extension, as specified in [RFC2560] section 4.2.2.2.1, to the certificate that is issued. MSPKI_ENROLLMENT_FLAG_ADD_OCSP_NOCHECK = 0x00001000 // CT_FLAG_ENABLE_KEY_REUSE_ON_NT_TOKEN_KEYSET_STORAGE_FULL // This flag instructs the client to reuse the private key for a smart card–based certificate renewal // if it is unable to create a new private key on the card. MSPKI_ENROLLMENT_FLAG_ENABLE_KEY_REUSE_ON_NT_TOKEN_KEYSET_STORAGE_FULL = 0x00002000 // CT_FLAG_NOREVOCATIONINFOINISSUEDCERTS // This flag instructs the server to not include revocation information in the issued certificate. MSPKI_ENROLLMENT_FLAG_NOREVOCATIONINFOINISSUEDCERTS = 0x00004000 // CT_FLAG_INCLUDE_BASIC_CONSTRAINTS_FOR_EE_CERTS // This flag instructs the server to include Basic Constraints extension (specified in [RFC3280] // section 4.2.1.10) in the end entity certificates. MSPKI_ENROLLMENT_FLAG_INCLUDE_BASIC_CONSTRAINTS_FOR_EE_CERTS = 0x00008000 // CT_FLAG_ALLOW_PREVIOUS_APPROVAL_KEYBASEDRENEWAL_VALIDATE_REENROLLMENT // This flag instructs the CA to ignore the requirement for Enroll permissions on the template when // processing renewal requests as specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6. MSPKI_ENROLLMENT_FLAG_ALLOW_PREVIOUS_APPROVAL_KEYBASEDRENEWAL_VALIDATE_REENROLLMENT = 0x00010000 // CT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST // This flag indicates that the certificate issuance policies to be included in the issued certificate // come from the request rather than from the template. The template contains a list of all of the issuance // policies that the request is allowed to specify; if the request contains policies that are not listed // in the template, then the request is rejected. For the processing rules of this flag, see [MS-WCCE] // section 3.2.2.6.2.1.4.5.8. MSPKI_ENROLLMENT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST = 0x00020000 // CT_FLAG_SKIP_AUTO_RENEWAL // This flag indicates that the certificate should not be auto-renewed, although it has a valid template. MSPKI_ENROLLMENT_FLAG_SKIP_AUTO_RENEWAL = 0x00040000 // CT_FLAG_NO_SECURITY_EXTENSION // This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT // (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, // in the issued certificate. MSPKI_ENROLLMENT_FLAG_NO_SECURITY_EXTENSION = 0x00080000 )
msPKI-Enrollment-Flag Attribute Src: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/ec71fd43-61c2-407b-83c9-b52272dec8a1
View Source
const ( // Represents a domain object. SAM_DOMAIN_OBJECT = 0x00000000 // Represents a group object. SAM_GROUP_OBJECT = 0x10000000 // Represents a group object that is not used for authorization context generation. SAM_NON_SECURITY_GROUP_OBJECT = 0x10000001 // Represents an alias object. SAM_ALIAS_OBJECT = 0x20000000 // Represents an alias object that is not used for authorization context generation. SAM_NON_SECURITY_ALIAS_OBJECT = 0x20000001 // Represents a user object. SAM_USER_OBJECT = 0x30000000 // Represents a computer object. SAM_MACHINE_ACCOUNT = 0x30000001 // Represents a user object that is used for domain trusts. SAM_TRUST_ACCOUNT = 0x30000002 // Represents an application-defined group. SAM_APP_BASIC_GROUP = 0x40000000 // Represents an application-defined group whose members are determined by the results of a query. SAM_APP_QUERY_GROUP = 0x40000001 )
sAMAccountType Values Src: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe
Variables ¶
View Source
var DomainFunctionalityLevelToWindowsVersion = map[DomainFunctionalityLevel]string{ DOMAIN_FUNCTIONALITY_LEVEL_2000: "Windows 2000", DOMAIN_FUNCTIONALITY_LEVEL_2003_INTERIM: "Windows Server 2003 Interim", DOMAIN_FUNCTIONALITY_LEVEL_2003: "Windows Server 2003", DOMAIN_FUNCTIONALITY_LEVEL_2008: "Windows Server 2008", DOMAIN_FUNCTIONALITY_LEVEL_2008_R2: "Windows Server 2008 R2", DOMAIN_FUNCTIONALITY_LEVEL_2012: "Windows Server 2012", DOMAIN_FUNCTIONALITY_LEVEL_2012_R2: "Windows Server 2012 R2", DOMAIN_FUNCTIONALITY_LEVEL_2016: "Windows Server 2016", DOMAIN_FUNCTIONALITY_LEVEL_2025: "Windows Server 2025", }
View Source
var DomainRIDs = []int{ RID_DOMAIN_USER_KRBTGT, RID_DOMAIN_USER_ADMIN, RID_DOMAIN_USER_GUEST, RID_DOMAIN_GROUP_ADMINS, RID_DOMAIN_GROUP_USERS, RID_DOMAIN_GROUP_GUESTS, RID_DOMAIN_GROUP_COMPUTERS, RID_DOMAIN_GROUP_CONTROLLERS, RID_DOMAIN_GROUP_CERT_PUBLISHERS, RID_DOMAIN_GROUP_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS, RID_DOMAIN_GROUP_SCHEMA_ADMINS, RID_DOMAIN_GROUP_ENTERPRISE_ADMINS, RID_DOMAIN_GROUP_POLICY_ADMINS, RID_DOMAIN_GROUP_READONLY_CONTROLLERS, RID_DOMAIN_GROUP_CLONEABLE_CONTROLLERS, RID_DOMAIN_GROUP_CDC_RESERVED, RID_DOMAIN_GROUP_PROTECTED_USERS, RID_DOMAIN_GROUP_KEY_ADMINS, RID_DOMAIN_GROUP_ENTERPRISE_KEY_ADMINS, RID_DOMAIN_GROUP_DENIED_RODC_PASSWORD_REPLICATION, RID_DOMAIN_GROUP_ALIAS_CERTSVC_DCOM_ACCESS, }
View Source
var LocalRIDs = []int{ RID_LOCAL_ADMINS, RID_LOCAL_USERS, RID_LOCAL_GUESTS, RID_LOCAL_POWER_USERS, RID_LOCAL_ACCOUNT_OPS, RID_LOCAL_SERVER_OPS, RID_LOCAL_PRINT_OPS, RID_LOCAL_BACKUP_OPS, RID_LOCAL_REPLICATOR, RID_LOCAL_RAS_SERVERS, RID_LOCAL_PREW2KCOMPACCESS, RID_LOCAL_REMOTE_DESKTOP_USERS, RID_LOCAL_NETWORK_CONFIGURATION_OPS, RID_LOCAL_INCOMING_FOREST_TRUST_BUILDERS, RID_LOCAL_MONITORING_USERS, RID_LOCAL_LOGGING_USERS, RID_LOCAL_AUTHORIZATIONACCESS, RID_LOCAL_TS_LICENSE_SERVERS, RID_LOCAL_DCOM_USERS, RID_LOCAL_IUSERS, RID_LOCAL_CRYPTO_OPERATORS, RID_LOCAL_CACHEABLE_PRINCIPALS_GROUP, RID_LOCAL_NON_CACHEABLE_PRINCIPALS_GROUP, RID_LOCAL_EVENT_LOG_READERS_GROUP, RID_LOCAL_CERTSVC_DCOM_ACCESS_GROUP, RID_LOCAL_RDS_REMOTE_ACCESS_SERVERS, RID_LOCAL_RDS_ENDPOINT_SERVERS, RID_LOCAL_RDS_MANAGEMENT_SERVERS, RID_LOCAL_HYPER_V_ADMINS, RID_LOCAL_ACCESS_CONTROL_ASSISTANCE_OPS, RID_LOCAL_REMOTE_MANAGEMENT_USERS, RID_LOCAL_DEFAULT_ACCOUNT, RID_LOCAL_STORAGE_REPLICA_ADMINS, RID_LOCAL_DEVICE_OWNERS, }
View Source
var MSPKIEnrollmentFlagMap = map[MSPKIEnrollmentFlag]string{ MSPKI_ENROLLMENT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS: "Include Symmetric Algorithms", MSPKI_ENROLLMENT_FLAG_PEND_ALL_REQUESTS: "Pending All Requests", MSPKI_ENROLLMENT_FLAG_PUBLISH_TO_KRA_CONTAINER: "Publish to KRA Container", MSPKI_ENROLLMENT_FLAG_PUBLISH_TO_DS: "Publish to DS", MSPKI_ENROLLMENT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE: "Auto Enrollment Check User DS Certificate", MSPKI_ENROLLMENT_FLAG_AUTO_ENROLLMENT: "Auto Enrollment", MSPKI_ENROLLMENT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT: "Previous Approval Validate Reenrollment", MSPKI_ENROLLMENT_FLAG_USER_INTERACTION_REQUIRED: "User Interaction Required", MSPKI_ENROLLMENT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE: "Remove Invalid Certificate From Personal Store", MSPKI_ENROLLMENT_FLAG_ALLOW_ENROLL_ON_BEHALF_OF: "Allow Enroll On Behalf Of", MSPKI_ENROLLMENT_FLAG_ADD_OCSP_NOCHECK: "Add OCSP No Check", MSPKI_ENROLLMENT_FLAG_ENABLE_KEY_REUSE_ON_NT_TOKEN_KEYSET_STORAGE_FULL: "Enable Key Reuse On NT Token Keyset Storage Full", MSPKI_ENROLLMENT_FLAG_NOREVOCATIONINFOINISSUEDCERTS: "No Revocation Info In Issued Certs", MSPKI_ENROLLMENT_FLAG_INCLUDE_BASIC_CONSTRAINTS_FOR_EE_CERTS: "Include Basic Constraints For EE Certs", MSPKI_ENROLLMENT_FLAG_ALLOW_PREVIOUS_APPROVAL_KEYBASEDRENEWAL_VALIDATE_REENROLLMENT: "Allow Previous Approval Key Based Renewal Validate Reenrollment", MSPKI_ENROLLMENT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST: "Issuance Policies From Request", MSPKI_ENROLLMENT_FLAG_SKIP_AUTO_RENEWAL: "Skip Auto Renewal", MSPKI_ENROLLMENT_FLAG_NO_SECURITY_EXTENSION: "No Security Extension", }
View Source
var PasswordPropertiesDescriptions = map[PasswordProperties]string{ PASSWORD_PROPERTY_DOMAIN_PASSWORD_COMPLEX: "The password must have a mix of at least two of the following types of characters: Uppercase characters, Lowercase characters, Numerals.", PASSWORD_PROPERTY_DOMAIN_PASSWORD_NO_ANON_CHANGE: "The password cannot be changed without logging on. Otherwise, if your password has expired, you can change your password and then log on.", PASSWORD_PROPERTY_DOMAIN_PASSWORD_NO_CLEAR_CHANGE: "Forces the client to use a protocol that does not allow the domain controller to get the plaintext password.", PASSWORD_PROPERTY_DOMAIN_LOCKOUT_ADMINS: "Allows the built-in administrator account to be locked out from network logons.", PASSWORD_PROPERTY_DOMAIN_PASSWORD_STORE_CLEARTEXT: "The directory service is storing a plaintext password for all users instead of a hash function of the password.", PASSWORD_PROPERTY_DOMAIN_REFUSE_PASSWORD_CHANGE: "Removes the requirement that the machine account password be automatically changed every week. This value should not be used as it can weaken security.", }
View Source
var PasswordPropertiesMap = map[PasswordProperties]string{ PASSWORD_PROPERTY_DOMAIN_PASSWORD_COMPLEX: "DOMAIN_PASSWORD_COMPLEX", PASSWORD_PROPERTY_DOMAIN_PASSWORD_NO_ANON_CHANGE: "DOMAIN_PASSWORD_NO_ANON_CHANGE", PASSWORD_PROPERTY_DOMAIN_PASSWORD_NO_CLEAR_CHANGE: "DOMAIN_PASSWORD_NO_CLEAR_CHANGE", PASSWORD_PROPERTY_DOMAIN_LOCKOUT_ADMINS: "DOMAIN_LOCKOUT_ADMINS", PASSWORD_PROPERTY_DOMAIN_PASSWORD_STORE_CLEARTEXT: "DOMAIN_PASSWORD_STORE_CLEARTEXT", PASSWORD_PROPERTY_DOMAIN_REFUSE_PASSWORD_CHANGE: "DOMAIN_REFUSE_PASSWORD_CHANGE", }
View Source
var SAMAccountTypeMap = map[SAMAccountType]string{ SAM_DOMAIN_OBJECT: "DOMAIN_OBJECT", SAM_GROUP_OBJECT: "GROUP_OBJECT", SAM_NON_SECURITY_GROUP_OBJECT: "NON_SECURITY_GROUP_OBJECT", SAM_ALIAS_OBJECT: "ALIAS_OBJECT", SAM_NON_SECURITY_ALIAS_OBJECT: "NON_SECURITY_ALIAS_OBJECT", SAM_USER_OBJECT: "USER_OBJECT", SAM_MACHINE_ACCOUNT: "MACHINE_ACCOUNT", SAM_TRUST_ACCOUNT: "TRUST_ACCOUNT", SAM_APP_BASIC_GROUP: "APP_BASIC_GROUP", SAM_APP_QUERY_GROUP: "APP_QUERY_GROUP", }
View Source
var UserAccountControlMap = map[UserAccountControl]string{ UAF_SCRIPT: "SCRIPT", UAF_ACCOUNT_DISABLED: "ACCOUNT_DISABLED", UAF_HOMEDIR_REQUIRED: "HOMEDIR_REQUIRED", UAF_LOCKOUT: "LOCKOUT", UAF_PASSWD_NOTREQD: "PASSWD_NOTREQD", UAF_PASSWD_CANT_CHANGE: "PASSWD_CANT_CHANGE", UAF_ENCRYPTED_TEXT_PWD_ALLOWED: "ENCRYPTED_TEXT_PWD_ALLOWED", UAF_TEMP_DUPLICATE_ACCOUNT: "TEMP_DUPLICATE_ACCOUNT", UAF_NORMAL_ACCOUNT: "NORMAL_ACCOUNT", UAF_INTERDOMAIN_TRUST_ACCOUNT: "INTERDOMAIN_TRUST_ACCOUNT", UAF_WORKSTATION_TRUST_ACCOUNT: "WORKSTATION_TRUST_ACCOUNT", UAF_SERVER_TRUST_ACCOUNT: "SERVER_TRUST_ACCOUNT", UAF_DONT_EXPIRE_PASSWORD: "DONT_EXPIRE_PASSWORD", UAF_MNS_LOGON_ACCOUNT: "MNS_LOGON_ACCOUNT", UAF_SMARTCARD_REQUIRED: "SMARTCARD_REQUIRED", UAF_TRUSTED_FOR_DELEGATION: "TRUSTED_FOR_DELEGATION", UAF_NOT_DELEGATED: "NOT_DELEGATED", UAF_USE_DES_KEY_ONLY: "USE_DES_KEY_ONLY", UAF_DONT_REQ_PREAUTH: "DONT_REQ_PREAUTH", UAF_PASSWORD_EXPIRED: "PASSWORD_EXPIRED", UAF_TRUSTED_TO_AUTH_FOR_DELEGATION: "TRUSTED_TO_AUTH_FOR_DELEGATION", UAF_PARTIAL_SECRETS_ACCOUNT: "PARTIAL_SECRETS_ACCOUNT", }
Functions ¶
This section is empty.
Types ¶
type DomainFunctionalityLevel ¶
type DomainFunctionalityLevel uint8
const ( DOMAIN_FUNCTIONALITY_LEVEL_2000 DomainFunctionalityLevel = 0 DOMAIN_FUNCTIONALITY_LEVEL_2003_INTERIM DomainFunctionalityLevel = 1 DOMAIN_FUNCTIONALITY_LEVEL_2003 DomainFunctionalityLevel = 2 DOMAIN_FUNCTIONALITY_LEVEL_2008 DomainFunctionalityLevel = 3 DOMAIN_FUNCTIONALITY_LEVEL_2008_R2 DomainFunctionalityLevel = 4 DOMAIN_FUNCTIONALITY_LEVEL_2012 DomainFunctionalityLevel = 5 DOMAIN_FUNCTIONALITY_LEVEL_2012_R2 DomainFunctionalityLevel = 6 DOMAIN_FUNCTIONALITY_LEVEL_2016 DomainFunctionalityLevel = 7 DOMAIN_FUNCTIONALITY_LEVEL_2025 DomainFunctionalityLevel = 10 )
func (DomainFunctionalityLevel) IsSupported ¶
func (v DomainFunctionalityLevel) IsSupported() bool
IsSupported returns true if the domain functionality level is supported by the current version of Windows
func (DomainFunctionalityLevel) String ¶
func (v DomainFunctionalityLevel) String() string
String returns the string representation of the domain functionality level
type MSPKIEnrollmentFlag ¶ added in v1.0.1
type MSPKIEnrollmentFlag uint32
func (MSPKIEnrollmentFlag) String ¶ added in v1.0.1
func (flag MSPKIEnrollmentFlag) String() string
String returns the string representation of the enrollment flag
type PasswordProperties ¶
type PasswordProperties uint32
const ( // DOMAIN_PASSWORD_COMPLEX (0x00000001) // The password must have a mix of at least two of the following types of characters: // - Uppercase characters // - Lowercase characters // - Numerals PASSWORD_PROPERTY_DOMAIN_PASSWORD_COMPLEX PasswordProperties = 0x00000001 // DOMAIN_PASSWORD_NO_ANON_CHANGE (0x00000002) // The password cannot be changed without logging on. Otherwise, if your password has expired, // you can change your password and then log on. PASSWORD_PROPERTY_DOMAIN_PASSWORD_NO_ANON_CHANGE PasswordProperties = 0x00000002 // DOMAIN_PASSWORD_NO_CLEAR_CHANGE (0x00000004) // Forces the client to use a protocol that does not allow the domain controller to get the plaintext password. PASSWORD_PROPERTY_DOMAIN_PASSWORD_NO_CLEAR_CHANGE PasswordProperties = 0x00000004 // DOMAIN_LOCKOUT_ADMINS (0x00000008) // Allows the built-in administrator account to be locked out from network logons. PASSWORD_PROPERTY_DOMAIN_LOCKOUT_ADMINS PasswordProperties = 0x00000008 // DOMAIN_PASSWORD_STORE_CLEARTEXT (0x00000010) // The directory service is storing a plaintext password for all users instead of a hash function of the password. PASSWORD_PROPERTY_DOMAIN_PASSWORD_STORE_CLEARTEXT PasswordProperties = 0x00000010 // DOMAIN_REFUSE_PASSWORD_CHANGE (0x00000020) // Removes the requirement that the machine account password be automatically changed every week. // This value should not be used as it can weaken security. PASSWORD_PROPERTY_DOMAIN_REFUSE_PASSWORD_CHANGE PasswordProperties = 0x00000020 )
PasswordProperties Src: https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/ns-ntsecapi-domain_password_information
func (PasswordProperties) Description ¶
func (pwdProperties PasswordProperties) Description() string
func (PasswordProperties) String ¶
func (pwdProperties PasswordProperties) String() string
type SAMAccountType ¶
type SAMAccountType uint32
func (SAMAccountType) String ¶
func (sam SAMAccountType) String() string
type UserAccountControl ¶
type UserAccountControl uint32
const ( UAF_SCRIPT UserAccountControl = 1 // 1 UAF_ACCOUNT_DISABLED UserAccountControl = 1 << 1 // 2 UAF_HOMEDIR_REQUIRED UserAccountControl = 1 << 2 // 4 UAF_RESERVED_03 UserAccountControl = 1 << 3 // 8 UAF_LOCKOUT UserAccountControl = 1 << 4 // 16 UAF_PASSWD_NOTREQD UserAccountControl = 1 << 5 // 32 UAF_PASSWD_CANT_CHANGE UserAccountControl = 1 << 6 // 64 UAF_ENCRYPTED_TEXT_PWD_ALLOWED UserAccountControl = 1 << 7 // 128 UAF_TEMP_DUPLICATE_ACCOUNT UserAccountControl = 1 << 8 // 256 UAF_NORMAL_ACCOUNT UserAccountControl = 1 << 9 // 512 UAF_RESERVED_10 UserAccountControl = 1 << 10 // 1024 UAF_INTERDOMAIN_TRUST_ACCOUNT UserAccountControl = 1 << 11 // 2048 UAF_WORKSTATION_TRUST_ACCOUNT UserAccountControl = 1 << 12 // 4096 UAF_SERVER_TRUST_ACCOUNT UserAccountControl = 1 << 13 // 8192 UAF_RESERVED_14 UserAccountControl = 1 << 14 // 16384 UAF_RESERVED_15 UserAccountControl = 1 << 15 // 32768 UAF_DONT_EXPIRE_PASSWORD UserAccountControl = 1 << 16 // 65536 UAF_MNS_LOGON_ACCOUNT UserAccountControl = 1 << 17 // 131072 UAF_SMARTCARD_REQUIRED UserAccountControl = 1 << 18 // 262144 UAF_TRUSTED_FOR_DELEGATION UserAccountControl = 1 << 19 // 524288 UAF_NOT_DELEGATED UserAccountControl = 1 << 20 // 1048576 UAF_USE_DES_KEY_ONLY UserAccountControl = 1 << 21 // 2097152 UAF_DONT_REQ_PREAUTH UserAccountControl = 1 << 22 // 4194304 UAF_PASSWORD_EXPIRED UserAccountControl = 1 << 23 // 8388608 UAF_TRUSTED_TO_AUTH_FOR_DELEGATION UserAccountControl = 1 << 24 // 16777216 UAF_RESERVED_25 UserAccountControl = 1 << 25 // 33554432 UAF_RESERVED_26 UserAccountControl = 1 << 26 // 67108864 UAF_PARTIAL_SECRETS_ACCOUNT UserAccountControl = 1 << 27 // 134217728 UAF_RESERVED_28 UserAccountControl = 1 << 28 // 268435456 UAF_RESERVED_29 UserAccountControl = 1 << 29 // 536870912 UAF_RESERVED_30 UserAccountControl = 1 << 30 // 1073741824 UAF_RESERVED_31 UserAccountControl = 1 << 31 // 2147483648 )
UserAccountControl Src: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties
func (UserAccountControl) GetFlags ¶
func (uac UserAccountControl) GetFlags() []UserAccountControl
GetFlags returns a slice of UserAccountControl flags that are set in the UserAccountControl value.
The function iterates over the UserAccountControlMap to check which flags are set in the UserAccountControl value. It collects the flags that are set and returns them as a slice of UserAccountControl values, sorted in ascending order.
Returns:
- A slice of UserAccountControl values representing the set flags, sorted in ascending order.
Example usage:
uac := ldap_attributes.UserAccountControl(0x00000010 | 0x00000020)
flags := uac.GetFlags()
for _, flag := range flags {
fmt.Println(flag)
}
This function is useful for obtaining a list of individual flags set in the UserAccountControl value, which can be used for further processing or analysis.
func (UserAccountControl) String ¶
func (uac UserAccountControl) String() string
String returns a string representation of the UserAccountControl flags.
The function iterates over the UserAccountControlMap to check which flags are set in the UserAccountControl value. It collects the string representations of the set flags, sorts them alphabetically, and joins them with a pipe ("|") separator.
Returns:
- A string containing the names of the set flags, separated by a pipe ("|").
Example usage:
uac := ldap_attributes.UserAccountControl(0x00000010 | 0x00000020) fmt.Println(uac.String()) // Output: "LOCKOUT|PASSWD_NOTREQD"
This function is useful for debugging and logging purposes, allowing a human-readable representation of the UserAccountControl flags.
Source Files
Click to show internal directories.
Click to hide internal directories.