[DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
static extern uint LsaRemoveAccountRights(
IntPtr PolicyHandle,
byte[] AccountSid,
[MarshalAs(UnmanagedType.U1)]
bool AllRights,
LSA_UNICODE_STRING[] UserRights,
uint CountOfRights);
Private Declare Unicode Function LsaRemoveAccountRights Lib "advapi32.dll" ( _
ByVal PolicyHandle As IntPtr, _
ByVal AccountSid As IntPtr, _
ByVal AllRights As Boolean, _
ByRef UserRights As LSA_UNICODE_STRING, _
ByVal CountOfRights As Integer _
) As Integer
None.
Do you know one? Please contribute it!
'NTSTATUS LsaRemoveAccountRights(
' LSA_HANDLE PolicyHandle,
' PSID AccountSid,
' BOOLEAN AllRights,
' PLSA_UNICODE_STRING[] UserRights,
' ULONG CountOfRights
');
The UserRights parameter is really an array of LSA_UNICODE_STRINGS
Private WinWorldSid As Integer = 1
Private POLICY_ALL_ACCESS As Integer = &HF0FFF
Private SECURITY_MAX_SID_SIZE As Integer = 68
Private SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME As String = "SeDenyRemoteInteractiveLogonRight"
Private NT_STATUS_OBJECT_NAME_NOT_FOUND As Integer = &HC0000034
Private STATUS_NO_MORE_ENTRIES As Integer = &H8000001A
' Remove the Deny permission
Public Sub AllowTS(ByVal PC As String)
Dim ret, Access, sidsize As Integer
Dim SystemName, DenyTSRights As LSA_UNICODE_STRING
Dim ObjectAttr As LSA_OBJECT_ATTRIBUTES
Dim Policy, EveryoneSID As IntPtr
' build a well-known SID for "Everyone"
sidsize = SECURITY_MAX_SID_SIZE
EveryoneSID = Marshal.AllocHGlobal(sidsize)
If CreateWellKnownSid(WinWorldSid, IntPtr.Zero, EveryoneSID, sidsize) = False Then
ret = Marshal.GetLastWin32Error()
Throw New Win32Exception(ret)
End If
' setup the parameters for the LsaOpenPolicy API
ObjectAttr.Length = Marshal.SizeOf(ObjectAttr)
SystemName.Length = PC.Length * UnicodeEncoding.CharSize
SystemName.MaximumLength = (PC.Length + 1) * UnicodeEncoding.CharSize
SystemName.Buffer = Marshal.StringToHGlobalUni(PC)
Access = POLICY_ALL_ACCESS
' open a policy handle on the remote PC
ret = LsaOpenPolicy(SystemName, ObjectAttr, Access, Policy)
If ret <> 0 Then
Throw New Win32Exception(LsaNtStatusToWinError(ret))
End If
' clean up
Marshal.FreeHGlobal(SystemName.Buffer)
' Setup the input parameters for the LsaRemoveAccountRights API
DenyTSRights.Length = SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length * UnicodeEncoding.CharSize
DenyTSRights.MaximumLength = (SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME.Length + 1) * UnicodeEncoding.CharSize
DenyTSRights.Buffer = Marshal.StringToHGlobalUni(SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME)
' do it!
ret = LsaRemoveAccountRights(Policy, EveryoneSID, False, DenyTSRights, 1)
If ret <> 0 And ret <> NT_STATUS_OBJECT_NAME_NOT_FOUND Then
Marshal.FreeHGlobal(DenyTSRights.Buffer)
LsaClose(Policy)
Throw New Win32Exception(LsaNtStatusToWinError(ret))
End If
' clean up
Marshal.FreeHGlobal(DenyTSRights.Buffer)
LsaClose(Policy)
End Sub