Search
Module:
Directory

   Desktop Functions:

   Smart Device Functions:


Show Recent Changes
Subscribe (RSS)
Misc. Pages
Comments
FAQ
Helpful Tools
Playground
Suggested Reading
Website TODO List
Download Visual Studio Add-In

LsaOpenPolicy (advapi32)
 
.
Summary
TODO - a short description

C# Signature:

[DllImport("advapi32.dll", SetLastError=true, PreserveSig=true)]
static extern uint LsaOpenPolicy(
   ref LSA_UNICODE_STRING SystemName,
   ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
   uint DesiredAccess,
   out IntPtr PolicyHandle
);

VB Signature:

Declare Function LsaOpenPolicy Lib "advapi32.dll" (TODO) As TODO

User-Defined Types:

None.

Notes:

From the SDK: The LsaOpenPolicy function opens a handle to the Policy object on a local or remote system.

To administer the local security policy of a local or remote system, you must call the LsaOpenPolicy function to establish a session with that system's LSA subsystem. LsaOpenPolicy connects to the LSA of the target system and returns a handle to the Policy object of that system. You can use this handle in subsequent LSA function calls to administer the local security policy information of the target system.

Tips & Tricks:

Please add some!

Sample Code:

public static uint SetRight( string inAccountName, string inPrivilegeName )
{
    uint aWinErrorCode = 0; //contains the last error

    //pointer an size for the SID
    IntPtr aSid = IntPtr.Zero;
    int aSidSize = 0;

    //StringBuilder and size for the domain name
    StringBuilder aDomainName = new StringBuilder();
    int aNameSize = 0;
    //account-type variable for lookup
    int aAccountType = 0;

    //get required buffer size
    LookupAccountName( String.Empty, inAccountName, aSid, ref aSidSize, aDomainName, ref aNameSize, ref aAccountType );

    //allocate buffers
    aDomainName = new StringBuilder( aNameSize );
    aSid = Marshal.AllocHGlobal( aSidSize );

    //lookup the SID for the account
    bool aResult = LookupAccountName( String.Empty, inAccountName, aSid, ref aSidSize, aDomainName, ref aNameSize, ref aAccountType );

    if ( aResult )
    {
        //initialize an empty unicode-string
        LSA_UNICODE_STRING aSystemName = new LSA_UNICODE_STRING();
        //combine all policies
        uint aAccess = (uint)(
            LSA_AccessPolicy.POLICY_AUDIT_LOG_ADMIN |
            LSA_AccessPolicy.POLICY_CREATE_ACCOUNT |
            LSA_AccessPolicy.POLICY_CREATE_PRIVILEGE |
            LSA_AccessPolicy.POLICY_CREATE_SECRET |
            LSA_AccessPolicy.POLICY_GET_PRIVATE_INFORMATION |
            LSA_AccessPolicy.POLICY_LOOKUP_NAMES |
            LSA_AccessPolicy.POLICY_NOTIFICATION |
            LSA_AccessPolicy.POLICY_SERVER_ADMIN |
            LSA_AccessPolicy.POLICY_SET_AUDIT_REQUIREMENTS |
            LSA_AccessPolicy.POLICY_SET_DEFAULT_QUOTA_LIMITS |
            LSA_AccessPolicy.POLICY_TRUST_ADMIN |
            LSA_AccessPolicy.POLICY_VIEW_AUDIT_INFORMATION |
            LSA_AccessPolicy.POLICY_VIEW_LOCAL_INFORMATION
            );
        //initialize a pointer for the policy handle
        IntPtr aPolicyHandle = IntPtr.Zero;

        //these attributes are not used, but LsaOpenPolicy wants them to exists
        LSA_OBJECT_ATTRIBUTES aObjectAttributes = new LSA_OBJECT_ATTRIBUTES();
        aObjectAttributes.Length = 0;
        aObjectAttributes.RootDirectory = IntPtr.Zero;
        aObjectAttributes.Attributes = 0;
        aObjectAttributes.SecurityDescriptor = IntPtr.Zero;
        aObjectAttributes.SecurityQualityOfService = IntPtr.Zero;            

        //get a policy handle
        uint aOpenPolicyResult = LsaOpenPolicy(ref aSystemName, ref aObjectAttributes, aAccess, out aPolicyHandle);
        aWinErrorCode = LsaNtStatusToWinError( aOpenPolicyResult );

        if( aWinErrorCode == Win32Constants.STATUS_SUCCESS )
        {
            //Now that we have the SID an the policy,
            //we can add rights to the account.
            //initialize an unicode-string for the privilege name
            LSA_UNICODE_STRING[] aUserRightsLSAString = new LSA_UNICODE_STRING[1];
            aUserRightsLSAString[0] = new LSA_UNICODE_STRING();
            aUserRightsLSAString[0].Buffer = Marshal.StringToHGlobalUni( inPrivilegeName );
            aUserRightsLSAString[0].Length = ( UInt16 )( inPrivilegeName.Length * UnicodeEncoding.CharSize );
            aUserRightsLSAString[0].MaximumLength = ( UInt16 )( ( inPrivilegeName.Length + 1 ) * UnicodeEncoding.CharSize );

            //add the right to the account
            uint aLSAResult = LsaAddAccountRights( aPolicyHandle, aSid, aUserRightsLSAString, 1 );
            aWinErrorCode = LsaNtStatusToWinError( aLSAResult );

            LsaClose( aPolicyHandle );
        }
        FreeSid( aSid );

    }
    else
    {
        aWinErrorCode = (uint)GetLastError();
    }

    return aWinErrorCode;
}

Alternative Managed API:

Do you know one? Please contribute it!

Documentation

Please edit this page!

Do you have...

  • helpful tips or sample code to share for using this API in managed code?
  • corrections to the existing content?
  • variations of the signature you want to share?
  • additional languages you want to include?

Select "Edit This Page" on the right hand toolbar and edit it! Or add new pages containing supporting types needed for this API (structures, delegates, and more).

 
Access PInvoke.net directly from VS:
Terms of Use
Find References
Show Printable Version
Revisions