Search
Module:
Directory
Constants
Delegates
Enums
Interfaces
Structures

   Desktop Functions:
advapi32
avifil32
cards
cfgmgr32
comctl32
comdlg32
credui
crypt32
dbghelp
dbghlp
dbghlp32
dhcpsapi
difxapi
dmcl40
dnsapi
dtl
dwmapi
faultrep
fbwflib
fltlib
fwpuclnt
gdi32
gdiplus
getuname
glu32
glut32
gsapi
hhctrl
hid
hlink
httpapi
icmp
imm32
iphlpapi
iprop
irprops
kernel32
mapi32
MinCore
mpr
mqrt
mscorsn
msdelta
msdrm
msi
msports
msvcrt
ncrypt
netapi32
ntdll
ntdsapi
odbc32
odbccp32
ole32
oleacc
oleaut32
opengl32
pdh
powrprof
printui
propsys
psapi
pstorec
query
quickusb
rasapi32
rpcrt4
scarddlg
secur32
setupapi
shell32
shlwapi
twain_32
unicows
urlmon
user32
userenv
uxtheme
version
wer
wevtapi
winfax
winhttp
wininet
winmm
winscard
winspool
wintrust
winusb
wlanapi
ws2_32
wtsapi32
xolehlp
xpsprint

   Smart Device Functions:
aygshell
coredll
ipaqutil
rapi


Show Recent Changes
Subscribe (RSS)
Misc. Pages
Comments
FAQ
Helpful Tools
Playground
Suggested Reading
Website TODO List
Download Visual Studio Add-In
LsaRemoveAccountRights (advapi32)
 
.
Summary
The LsaRemoveAccountRights function removes one or more privileges from an account.

C# Signature:

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]

    static extern uint LsaRemoveAccountRights(
    IntPtr PolicyHandle,
    byte[] AccountSid,
    [MarshalAs(UnmanagedType.U1)]
    bool AllRights,
    LSA_UNICODE_STRING[] UserRights,
    uint CountOfRights);
[DllImport("advapi32.dll", SetLastError=true)]
static extern TODO LsaRemoveAccountRights(TODO);

VB Signature:

    Private Declare Unicode Function LsaRemoveAccountRights Lib "advapi32.dll" ( _
    ByVal PolicyHandle As IntPtr, _
    ByVal AccountSid As IntPtr, _
    ByVal AllRights As Boolean, _
    ByRef UserRights As LSA_UNICODE_STRING, _
    ByVal CountOfRights As Integer _
    ByVal CountOfRights As Long _
    ) As Integer

User-Defined Types:

None.

Alternative Managed API:

Do you know one? Please contribute it!

Notes:

    'NTSTATUS LsaRemoveAccountRights(
    '  LSA_HANDLE PolicyHandle,
    '  PSID AccountSid,
    '  BOOLEAN AllRights,
    '  PLSA_UNICODE_STRING[] UserRights,
    '  ULONG CountOfRights
    ');

Tips & Tricks:

    The UserRights parameter is really an array of LSA_UNICODE_STRINGS

VB.Net Sample Code:

    Private WinWorldSid As Integer = 1
    Private POLICY_ALL_ACCESS As Integer = &HF0FFF
    Private SECURITY_MAX_SID_SIZE As Integer = 68
    Private SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME As String = "SeDenyRemoteInteractiveLogonRight"
    Private NT_STATUS_OBJECT_NAME_NOT_FOUND As Integer = &HC0000034
    Private STATUS_NO_MORE_ENTRIES As Integer = &H8000001A

    ' Remove the Deny permission
    Public Sub AllowTS(ByVal PC As String)
    Dim ret, Access, sidsize As Integer
    Dim SystemName, DenyTSRights As LSA_UNICODE_STRING
    Dim ObjectAttr As LSA_OBJECT_ATTRIBUTES
    Dim Policy, EveryoneSID As IntPtr

    ' build a well-known SID for "Everyone"
    sidsize = SECURITY_MAX_SID_SIZE
    EveryoneSID = Marshal.AllocHGlobal(sidsize)
    If CreateWellKnownSid(WinWorldSid, IntPtr.Zero, EveryoneSID, sidsize) = False Then
        ret = Marshal.GetLastWin32Error()
        Throw New Win32Exception(ret)
    End If

    ' setup the parameters for the LsaOpenPolicy API
    ObjectAttr.Length = Marshal.SizeOf(ObjectAttr)
    SystemName.Length = PC.Length * UnicodeEncoding.CharSize
    SystemName.MaximumLength = (PC.Length + 1) * UnicodeEncoding.CharSize
    SystemName.Buffer = Marshal.StringToHGlobalUni(PC)
    Access = POLICY_ALL_ACCESS

    ' open a policy handle on the remote PC
    ret = LsaOpenPolicy(SystemName, ObjectAttr, Access, Policy)
    If ret <> 0 Then
        Throw New Win32Exception(LsaNtStatusToWinError(ret))
    End If

    ' clean up
    Marshal.FreeHGlobal(SystemName.Buffer)

    ' Setup the input parameters for the LsaRemoveAccountRights API
    DenyTSRights.Length = SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length * UnicodeEncoding.CharSize
    DenyTSRights.MaximumLength = (SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length + 1) * UnicodeEncoding.CharSize
    DenyTSRights.Buffer = Marshal.StringToHGlobalUni(SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME)

    ' do it!
    ret = LsaRemoveAccountRights(Policy, EveryoneSID, False, DenyTSRights, 1)
    If ret <> 0 And ret <> NT_STATUS_OBJECT_NAME_NOT_FOUND Then
        Marshal.FreeHGlobal(DenyTSRights.Buffer)
        LsaClose(Policy)
        Throw New Win32Exception(LsaNtStatusToWinError(ret))
    End If

    ' clean up
    Marshal.FreeHGlobal(DenyTSRights.Buffer)
    LsaClose(Policy)
    End Sub

Documentation
LsaRemoveAccountRights on MSDN

Please edit this page!

Do you have...

  • helpful tips or sample code to share for using this API in managed code?
  • corrections to the existing content?
  • variations of the signature you want to share?
  • additional languages you want to include?

Select "Edit This Page" on the right hand toolbar and edit it! Or add new pages containing supporting types needed for this API (structures, delegates, and more).

 
Access PInvoke.net directly from VS:
Terms of Use
Edit This Page
Find References
Show Printable Version
Revisions