C# Signature:
[DllImport("advapi32.dll", SetLastError=true, PreserveSig=true)]
static extern uint LsaOpenPolicy(
ref LSA_UNICODE_STRING SystemName,
ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
uint DesiredAccess,
out IntPtr PolicyHandle
);
VB Signature:
Declare Function LsaOpenPolicy Lib "advapi32.dll" (TODO) As TODO
User-Defined Types:
None.
Notes:
From the SDK: The LsaOpenPolicy function opens a handle to the Policy object on a local or remote system.
To administer the local security policy of a local or remote system, you must call the LsaOpenPolicy function to establish a session with that system's LSA subsystem. LsaOpenPolicy connects to the LSA of the target system and returns a handle to the Policy object of that system. You can use this handle in subsequent LSA function calls to administer the local security policy information of the target system.
Tips & Tricks:
Please add some!
Sample Code:
public static uint SetRight( string inAccountName, string inPrivilegeName )
{
uint aWinErrorCode = 0; //contains the last error
//pointer an size for the SID
IntPtr aSid = IntPtr.Zero;
int aSidSize = 0;
//StringBuilder and size for the domain name
StringBuilder aDomainName = new StringBuilder();
int aNameSize = 0;
//account-type variable for lookup
int aAccountType = 0;
//get required buffer size
LookupAccountName( String.Empty, inAccountName, aSid, ref aSidSize, aDomainName, ref aNameSize, ref aAccountType );
//allocate buffers
aDomainName = new StringBuilder( aNameSize );
aSid = Marshal.AllocHGlobal( aSidSize );
//lookup the SID for the account
bool aResult = LookupAccountName( String.Empty, inAccountName, aSid, ref aSidSize, aDomainName, ref aNameSize, ref aAccountType );
if ( aResult )
{
//initialize an empty unicode-string
LSA_UNICODE_STRING aSystemName = new LSA_UNICODE_STRING();
//combine all policies
uint aAccess = (uint)(
LSA_AccessPolicy.POLICY_AUDIT_LOG_ADMIN |
LSA_AccessPolicy.POLICY_CREATE_ACCOUNT |
LSA_AccessPolicy.POLICY_CREATE_PRIVILEGE |
LSA_AccessPolicy.POLICY_CREATE_SECRET |
LSA_AccessPolicy.POLICY_GET_PRIVATE_INFORMATION |
LSA_AccessPolicy.POLICY_LOOKUP_NAMES |
LSA_AccessPolicy.POLICY_NOTIFICATION |
LSA_AccessPolicy.POLICY_SERVER_ADMIN |
LSA_AccessPolicy.POLICY_SET_AUDIT_REQUIREMENTS |
LSA_AccessPolicy.POLICY_SET_DEFAULT_QUOTA_LIMITS |
LSA_AccessPolicy.POLICY_TRUST_ADMIN |
LSA_AccessPolicy.POLICY_VIEW_AUDIT_INFORMATION |
LSA_AccessPolicy.POLICY_VIEW_LOCAL_INFORMATION
);
//initialize a pointer for the policy handle
IntPtr aPolicyHandle = IntPtr.Zero;
//these attributes are not used, but LsaOpenPolicy wants them to exists
LSA_OBJECT_ATTRIBUTES aObjectAttributes = new LSA_OBJECT_ATTRIBUTES();
aObjectAttributes.Length = 0;
aObjectAttributes.RootDirectory = IntPtr.Zero;
aObjectAttributes.Attributes = 0;
aObjectAttributes.SecurityDescriptor = IntPtr.Zero;
aObjectAttributes.SecurityQualityOfService = IntPtr.Zero;
//get a policy handle
uint aOpenPolicyResult = LsaOpenPolicy(ref aSystemName, ref aObjectAttributes, aAccess, out aPolicyHandle);
aWinErrorCode = LsaNtStatusToWinError( aOpenPolicyResult );
if( aWinErrorCode == Win32Constants.STATUS_SUCCESS )
{
//Now that we have the SID an the policy,
//we can add rights to the account.
//initialize an unicode-string for the privilege name
LSA_UNICODE_STRING[] aUserRightsLSAString = new LSA_UNICODE_STRING[1];
aUserRightsLSAString[0] = new LSA_UNICODE_STRING();
aUserRightsLSAString[0].Buffer = Marshal.StringToHGlobalUni( inPrivilegeName );
aUserRightsLSAString[0].Length = ( UInt16 )( inPrivilegeName.Length * UnicodeEncoding.CharSize );
aUserRightsLSAString[0].MaximumLength = ( UInt16 )( ( inPrivilegeName.Length + 1 ) * UnicodeEncoding.CharSize );
//add the right to the account
uint aLSAResult = LsaAddAccountRights( aPolicyHandle, aSid, aUserRightsLSAString, 1 );
aWinErrorCode = LsaNtStatusToWinError( aLSAResult );
LsaClose( aPolicyHandle );
}
FreeSid( aSid );
}
else
{
aWinErrorCode = (uint)GetLastError();
}
return aWinErrorCode;
}
Alternative Managed API:
Do you know one? Please contribute it!
