LsaRemoveAccountRights (advapi32)
Last changed: egray1@hot.rr.com-150.113.7.99

.
Summary
The LsaRemoveAccountRights function removes one or more privileges from an account.

C# Signature:

[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]

    static extern uint LsaRemoveAccountRights(
    IntPtr PolicyHandle,
    byte[] AccountSid,
    [MarshalAs(UnmanagedType.U1)]
    bool AllRights,
    LSA_UNICODE_STRING[] UserRights,
    uint CountOfRights);

VB Signature:

    Private Declare Unicode Function LsaRemoveAccountRights Lib "advapi32.dll" ( _
    ByVal PolicyHandle As IntPtr, _
    ByVal AccountSid As IntPtr, _
    ByVal AllRights As Boolean, _
    ByRef UserRights As LSA_UNICODE_STRING, _
    ByVal CountOfRights As Integer _
    ) As Integer

User-Defined Types:

None.

Alternative Managed API:

Do you know one? Please contribute it!

Notes:

    'NTSTATUS LsaRemoveAccountRights(
    '  LSA_HANDLE PolicyHandle,
    '  PSID AccountSid,
    '  BOOLEAN AllRights,
    '  PLSA_UNICODE_STRING[] UserRights,
    '  ULONG CountOfRights
    ');

Tips & Tricks:

    The UserRights parameter is really an array of LSA_UNICODE_STRINGS

VB.Net Sample Code:

    Private WinWorldSid As Integer = 1
    Private POLICY_ALL_ACCESS As Integer = &HF0FFF
    Private SECURITY_MAX_SID_SIZE As Integer = 68
    Private SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME As String = "SeDenyRemoteInteractiveLogonRight"
    Private NT_STATUS_OBJECT_NAME_NOT_FOUND As Integer = &HC0000034
    Private STATUS_NO_MORE_ENTRIES As Integer = &H8000001A

    ' Remove the Deny permission
    Public Sub AllowTS(ByVal PC As String)
    Dim ret, Access, sidsize As Integer
    Dim SystemName, DenyTSRights As LSA_UNICODE_STRING
    Dim ObjectAttr As LSA_OBJECT_ATTRIBUTES
    Dim Policy, EveryoneSID As IntPtr

    ' build a well-known SID for "Everyone"
    sidsize = SECURITY_MAX_SID_SIZE
    EveryoneSID = Marshal.AllocHGlobal(sidsize)
    If CreateWellKnownSid(WinWorldSid, IntPtr.Zero, EveryoneSID, sidsize) = False Then
        ret = Marshal.GetLastWin32Error()
        Throw New Win32Exception(ret)
    End If

    ' setup the parameters for the LsaOpenPolicy API
    ObjectAttr.Length = Marshal.SizeOf(ObjectAttr)
    SystemName.Length = PC.Length * UnicodeEncoding.CharSize
    SystemName.MaximumLength = (PC.Length + 1) * UnicodeEncoding.CharSize
    SystemName.Buffer = Marshal.StringToHGlobalUni(PC)
    Access = POLICY_ALL_ACCESS

    ' open a policy handle on the remote PC
    ret = LsaOpenPolicy(SystemName, ObjectAttr, Access, Policy)
    If ret <> 0 Then
        Throw New Win32Exception(LsaNtStatusToWinError(ret))
    End If

    ' clean up
    Marshal.FreeHGlobal(SystemName.Buffer)

    ' Setup the input parameters for the LsaRemoveAccountRights API
    DenyTSRights.Length = SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length * UnicodeEncoding.CharSize
    DenyTSRights.MaximumLength = (SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length + 1) * UnicodeEncoding.CharSize
    DenyTSRights.Buffer = Marshal.StringToHGlobalUni(SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME)

    ' do it!
    ret = LsaRemoveAccountRights(Policy, EveryoneSID, False, DenyTSRights, 1)
    If ret <> 0 And ret <> NT_STATUS_OBJECT_NAME_NOT_FOUND Then
        Marshal.FreeHGlobal(DenyTSRights.Buffer)
        LsaClose(Policy)
        Throw New Win32Exception(LsaNtStatusToWinError(ret))
    End If

    ' clean up
    Marshal.FreeHGlobal(DenyTSRights.Buffer)
    LsaClose(Policy)
    End Sub

Documentation