Type a page name and press Enter. You'll jump to the page if it exists, or you can create it if it doesn't.
To create a page in a module other than advapi32, prefix the name with the module name and a period.
Private Declare Unicode Function LsaAddAccountRights Lib "advapi32.dll" ( _
ByVal PolicyHandle As IntPtr, _
ByVal AccountSid As IntPtr, _
ByRef UserRights As LSA_UNICODE_STRING, _
ByVal CountOfRights As Long _
) As Integer
User-Defined Types:
None.
Notes:
From the SDK:
If the function succeeds, the return value is STATUS_SUCCESS.
If the function fails, the return value is an NTSTATUS code, which can be the following value or one of the LSA Policy Function Return Values.
Return code Description
STATUS_NO_SUCH_PRIVILEGE One of the privilege names is invalid.
You can use the LsaNtStatusToWinError function to convert the NTSTATUS code to a Windows error code.
Tips & Tricks:
The UserRights parameter is really an array of LSA_UNICODE_STRINGS
VB.Net Sample Code:
Private WinWorldSid As Integer = 1
Private POLICY_ALL_ACCESS As Integer = &HF0FFF
Private SECURITY_MAX_SID_SIZE As Integer = 68
Private SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME As String = "SeDenyRemoteInteractiveLogonRight"
Private NT_STATUS_OBJECT_NAME_NOT_FOUND As Integer = &HC0000034
Private STATUS_NO_MORE_ENTRIES As Integer = &H8000001A
' add the Deny permission
Public Sub DenyTS(ByVal PC As String)
Dim ret, Access, sidsize As Integer
Dim SystemName, DenyTSRights As LSA_UNICODE_STRING
Dim ObjectAttr As LSA_OBJECT_ATTRIBUTES
Dim Policy, EveryoneSID As IntPtr
' build a well-known SID for "Everyone"
sidsize = SECURITY_MAX_SID_SIZE
EveryoneSID = Marshal.AllocHGlobal(sidsize)
If CreateWellKnownSid(WinWorldSid, IntPtr.Zero, EveryoneSID, sidsize) = False Then
ret = Marshal.GetLastWin32Error()
Throw New Win32Exception(ret)
End If
' setup the parameters for the LsaOpenPolicy API
ObjectAttr.Length = Marshal.SizeOf(ObjectAttr)
SystemName.Length = PC.Length * UnicodeEncoding.CharSize
SystemName.MaximumLength = (PC.Length + 1) * UnicodeEncoding.CharSize
SystemName.Buffer = Marshal.StringToHGlobalUni(PC)
Access = POLICY_ALL_ACCESS
' open a policy handle on the remote PC
ret = LsaOpenPolicy(SystemName, ObjectAttr, Access, Policy)
If ret <> 0 Then
Throw New Win32Exception(LsaNtStatusToWinError(ret))
End If
' clean up
Marshal.FreeHGlobal(SystemName.Buffer)
' Setup the input parameters for the LsaRemoveAccountRights API
DenyTSRights.Length = SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length * UnicodeEncoding.CharSize
DenyTSRights.MaximumLength = (SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length + 1) * UnicodeEncoding.CharSize
DenyTSRights.Buffer = Marshal.StringToHGlobalUni(SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME)
' Do it!
ret = LsaAddAccountRights(Policy, EveryoneSID, DenyTSRights, 1)
If ret <> 0 Then
Marshal.FreeHGlobal(DenyTSRights.Buffer)
LsaClose(Policy)
Throw New Win32Exception(LsaNtStatusToWinError(ret))
End If
' clean up
Marshal.FreeHGlobal(DenyTSRights.Buffer)
LsaClose(Policy)
End Sub
helpful tips or sample code to share for using this API in managed code?
corrections to the existing content?
variations of the signature you want to share?
additional languages you want to include?
Select "Edit This Page" on the right hand toolbar and edit it! Or add new pages containing supporting types needed for this API (structures, delegates, and more).
Revisions