From d1876203248877755347d38a3bc27de506638a7f Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 25 Sep 2009 15:14:43 -0700
Subject: s4-samdb: when UF_SERVER_TRUST_ACCOUNT is set mark object as critical

We may also need to remove the isCriticalSystemObject when the machine
is demoted
---
 source4/dsdb/samdb/ldb_modules/samldb.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 8f51dc7699..e59b5dd1ce 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -2005,6 +2005,16 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 		}
 		el2 = ldb_msg_find_element(msg, "sAMAccountType");
 		el2->flags = LDB_FLAG_MOD_REPLACE;
+
+		if (user_account_control & UF_SERVER_TRUST_ACCOUNT) {
+			ret = samdb_msg_add_string(ldb, msg, msg,
+						   "isCriticalSystemObject", "TRUE");
+			if (ret != LDB_SUCCESS) {
+				return ret;
+			}
+			el2 = ldb_msg_find_element(msg, "isCriticalSystemObject");
+			el2->flags = LDB_FLAG_MOD_REPLACE;
+		}
 	}
 
 	el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID");
-- 
cgit