The following sequence of methods and parameters enumerates all users on a domain controller "secdc02" in a domain name of "piesec". Here is the command used to trigger this flow: net users /domain.
Note that the field Status refers to the ReturnValue on a network trace.
1. ➡️ Send SamrConnect5
Details SamrConnect5.
| Parameter field | Parameter value |
|---|---|
| ServerName | \\SECDC02.piesec.ca |
| DesiredAccess | 0x301 |
| InVersion | 1 |
| InRevisionInfo | SAMPR_REVISION_INFO_V1 structure |
DesiredAccess mask corresponds to SpecificRights:SamServerEnumerateDomains.
2. ⬅️ Receive SamrConnect5
| Parameter field | Parameter value |
|---|---|
| OutVersion | 1 |
| OutRevisionInfo | 3 |
| ServerHandle | [implementation-specific value] serverHandle |
| Status | 0 |
3. ➡️ Send SamrEnumerateDomainsInSamServer
Details SamrEnumerateDomainsInSamServer.
| Parameter field | Parameter value |
|---|---|
| ServerHandle | serverHandle |
| EnumerationContext | 0x0 |
| PreferedMaximumLength | 0x2000 |
4. ⬅️ Receive SamrEnumerateDomainsInSamServer
| Parameter field | Parameter value |
|---|---|
| EnumerationContext | 4 |
| Buffer | SAMPR_ENUMERATION_BUFFER structure |
| CountReturned | 2 |
| Status | 0 |
5. ➡️ Send SamrLookupDomainInSamServer
Details SamrLookupDomainInSamServer.
| Parameter field | Parameter value |
|---|---|
| ServerHandle | serverHandle |
| Name | piesec |
6. ⬅️ Receive SamrLookupDomainInSamServer
| Parameter field | Parameter value |
|---|---|
| DomainId | [implementation-specific SID]. For example: S-1-5-21-776355648-152374955-3729610662 |
| Status | 0 |
7. ➡️ Send SamrOpenDomain
Details SamrOpenDomain.
| Parameter field | Parameter value |
|---|---|
| ServerHandle | serverHandle |
| DesiredAccess | 0x304 |
| DomainId | S-1-5-21-776355648-152374955-3729610662 |
DesiredAccess mask corresponds to SpecificRights: DomainReadOther, SpecificRights: DomainListAccounts and SpecificRights: DomainLookup.
8. ⬅️ Receive SamrOpenDomain
| Parameter field | Parameter value |
|---|---|
| DomainHandle | [implementation-specific value] domainHandle |
| Status | 0 |
The Buffer structure contains a sub structure SamprEnumerationBuffer listing the name of the domain as well as the container where the group will be created.
9. ➡️ Send SamrEnumerateUsersInDomain
Details SamrEnumerateUsersInDomain.
| Parameter field | Parameter value |
|---|---|
| DomainHandle | domainHandle |
| EnumerationContext | 0x0 |
| UserAccountControl | 0x0 |
| PreferedMaximumLength | 0xffffffff |
UserAccountControl is a filter value to be used on the userAccountControl attribute.
10. ⬅️ Receive SamrEnumerateUsersInDomain
| Parameter field | Parameter value |
|---|---|
| EnumerationContext | 0x0 |
| Buffer | PSAMPR_ENUMERATION_BUFFER structure |
| Status | 0 |
The PSAMPR_ENUMERATION_BUFFER strucutre has a property SamprEnumerationBuffer containing as many entries as there are results (RelativeIds and Names).
More information about enumeration: Common Processing for Enumeration of Users, Groups, and Aliases
11. ➡️ Send SamrCloseHandle
Details SamrCloseHandle.
| Parameter field | Parameter value |
|---|---|
| SamHandle | samHandle |
12. ⬅️ Receive SamrCloseHandle
| Parameter field | Parameter value |
|---|---|
| SamHandle | {00000000-00000000-0000-0000-0000-000000000000} |
| Status | 0 |